dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.1… · opensearch-project/security@0fb115d

Commit

dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.1…

…0.4 (#3392)

Bumps
[org.xerial.snappy:snappy-java](https://github.com/xerial/snappy-java)
from 1.1.10.3 to 1.1.10.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/xerial/snappy-java/releases">org.xerial.snappy:snappy-java's
releases</a>.</em></p>
<blockquote>
<h2>v1.1.10.4</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<h3>Security Fix</h3>
<ul>
<li>Fixed SnappyInputStream so as not to allocate too large memory when
decompressing data with an extremely large chunk size by <a
href="https://github.com/tunnelshade"><code>@tunnelshade</code></a> (<a
href="https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5">code
change</a>)
<ul>
<li>This does not affect users only using Snappy.compress/uncompress
methods</li>
</ul>
</li>
</ul>
<h3>🚀 Features</h3>
<ul>
<li>feature: Upgrade the internal snappy version to 1.1.10 (1.1.8 was
wrongly used before) by <a
href="https://github.com/xerial"><code>@xerial</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/508">xerial/snappy-java#508</a></li>
<li>Support JDK21 (no internal change)</li>
</ul>
<h3>🔗 Dependency Updates</h3>
<ul>
<li>Update scalafmt-core to 3.7.11 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/485">xerial/snappy-java#485</a></li>
<li>Update sbt to 1.9.3 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/483">xerial/snappy-java#483</a></li>
<li>Update scalafmt-core to 3.7.12 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/487">xerial/snappy-java#487</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/502">xerial/snappy-java#502</a></li>
<li>Update sbt to 1.9.4 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/496">xerial/snappy-java#496</a></li>
<li>Update scalafmt-core to 3.7.14 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/501">xerial/snappy-java#501</a></li>
<li>Update sbt to 1.9.6 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/505">xerial/snappy-java#505</a></li>
<li>Update native libraries by <a
href="https://github.com/github-actions"><code>@github-actions</code></a>
in <a
href="https://redirect.github.com/xerial/snappy-java/pull/503">xerial/snappy-java#503</a></li>
</ul>
<h3>🛠  Internal Updates</h3>
<ul>
<li>Update airframe-log to 23.7.4 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/486">xerial/snappy-java#486</a></li>
<li>Update airframe-log to 23.8.0 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/488">xerial/snappy-java#488</a></li>
<li>Update sbt-scalafmt to 2.5.2 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/500">xerial/snappy-java#500</a></li>
<li>Update airframe-log to 23.8.6 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/497">xerial/snappy-java#497</a></li>
<li>Update sbt-scalafmt to 2.5.1 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/499">xerial/snappy-java#499</a></li>
<li>Update airframe-log to 23.9.1 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/504">xerial/snappy-java#504</a></li>
<li>Update airframe-log to 23.9.2 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/509">xerial/snappy-java#509</a></li>
</ul>
<h3>Other Changes</h3>
<ul>
<li>Update NOTICE by <a
href="https://github.com/imsudiproy"><code>@imsudiproy</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/492">xerial/snappy-java#492</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4">https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"><code>9f8c3cf</code></a>
Merge pull request from GHSA-55g7-9cwv-5qfv</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/49d700175f18ed5f8c5d371b7c2f80c75979bd68"><code>49d7001</code></a>
Update airframe-log to 23.9.2 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/509">#509</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/1f07c3182c2dc89d4226e9a6d8945b8458870a0a"><code>1f07c31</code></a>
Update native libraries for f2e97f27be0dc6c691369040ba8a673bface484c (<a
href="https://redirect.github.com/xerial/snappy-java/issues/503">#503</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/13f8db197c4c44f0b6a02240c04205e8362b8e62"><code>13f8db1</code></a>
Update sbt to 1.9.6 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/505">#505</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/f2e97f27be0dc6c691369040ba8a673bface484c"><code>f2e97f2</code></a>
feature: Upgrade the internal snappy version to 1.1.10 (1.1.8 was
wrongly use...</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/98b22256fe4ed00ccaadd2dac98b1622563cc50b"><code>98b2225</code></a>
Update airframe-log to 23.9.1 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/504">#504</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/9f29b5c0f869d4027a4d5c1464907a79152013bf"><code>9f29b5c</code></a>
Update NOTICE (<a
href="https://redirect.github.com/xerial/snappy-java/issues/492">#492</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/55639b55de52e1c06ac9a7df6844f85313407955"><code>55639b5</code></a>
Update sbt-scalafmt to 2.5.1 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/499">#499</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/a5d81a6589360f299ae7ec35a79c317fd78e795d"><code>a5d81a6</code></a>
Update airframe-log to 23.8.6 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/497">#497</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/6495da1af211e993cd0750c9c70b69d458c4a570"><code>6495da1</code></a>
Update scalafmt-core to 3.7.14 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/501">#501</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.xerial.snappy:snappy-java&package-manager=gradle&previous-version=1.1.10.3&new-version=1.1.10.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit dfecc00)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Loading branch information

github-actions[bot] and dependabot[bot] committed Sep 25, 2023

1 parent a2daf9f commit 0fb115d

build.gradle

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -432,7 +432,7 @@ configurations {
  
                force "io.netty:netty-transport-native-unix-common:${versions.netty}"

                force "org.apache.bcel:bcel:6.7.0" // This line should be removed once Spotbugs is upgraded to 4.7.4

                force "com.github.luben:zstd-jni:${versions.zstd}"

                force "org.xerial.snappy:snappy-java:1.1.10.3"

                force "org.xerial.snappy:snappy-java:1.1.10.4"

                force "com.google.guava:guava:${guava_version}"

            }

        }

    @@ -562,7 +562,7 @@ dependencies {
  
        runtimeOnly 'io.dropwizard.metrics:metrics-core:4.2.19'

        runtimeOnly 'org.slf4j:slf4j-api:1.7.36'

        runtimeOnly "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}"

        runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.3'

        runtimeOnly 'org.xerial.snappy:snappy-java:1.1.10.4'

        runtimeOnly 'org.codehaus.woodstox:stax2-api:4.2.1'

        runtimeOnly "org.glassfish.jaxb:txw2:${jaxb_version}"

        runtimeOnly 'com.fasterxml.woodstox:woodstox-core:6.5.1'

0 comments on commit `0fb115d`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `0fb115d`

Commit

There are no files selected for viewing

0 comments on commit 0fb115d

0 comments on commit `0fb115d`