New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Backport 2.x] dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.10.4 #3396

Merged

peternied merged 1 commit into 2.x from backport/backport-3392-to-2.x

Sep 25, 2023

Contributor

opensearch-trigger-bot bot commented Sep 25, 2023

Backport dfecc00 from #3392.


          dependabot: bump org.xerial.snappy:snappy-java from 1.1.10.3 to 1.1.1…

0fb115d

…0.4 (#3392)

Bumps
[org.xerial.snappy:snappy-java](https://github.com/xerial/snappy-java)
from 1.1.10.3 to 1.1.10.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/xerial/snappy-java/releases">org.xerial.snappy:snappy-java's
releases</a>.</em></p>
<blockquote>
<h2>v1.1.10.4</h2>
<!-- raw HTML omitted -->
<h2>What's Changed</h2>
<h3>Security Fix</h3>
<ul>
<li>Fixed SnappyInputStream so as not to allocate too large memory when
decompressing data with an extremely large chunk size by <a
href="https://github.com/tunnelshade"><code>@tunnelshade</code></a> (<a
href="https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5">code
change</a>)
<ul>
<li>This does not affect users only using Snappy.compress/uncompress
methods</li>
</ul>
</li>
</ul>
<h3>🚀 Features</h3>
<ul>
<li>feature: Upgrade the internal snappy version to 1.1.10 (1.1.8 was
wrongly used before) by <a
href="https://github.com/xerial"><code>@xerial</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/508">xerial/snappy-java#508</a></li>
<li>Support JDK21 (no internal change)</li>
</ul>
<h3>🔗 Dependency Updates</h3>
<ul>
<li>Update scalafmt-core to 3.7.11 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/485">xerial/snappy-java#485</a></li>
<li>Update sbt to 1.9.3 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/483">xerial/snappy-java#483</a></li>
<li>Update scalafmt-core to 3.7.12 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/487">xerial/snappy-java#487</a></li>
<li>Bump actions/checkout from 3 to 4 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/502">xerial/snappy-java#502</a></li>
<li>Update sbt to 1.9.4 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/496">xerial/snappy-java#496</a></li>
<li>Update scalafmt-core to 3.7.14 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/501">xerial/snappy-java#501</a></li>
<li>Update sbt to 1.9.6 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/505">xerial/snappy-java#505</a></li>
<li>Update native libraries by <a
href="https://github.com/github-actions"><code>@github-actions</code></a>
in <a
href="https://redirect.github.com/xerial/snappy-java/pull/503">xerial/snappy-java#503</a></li>
</ul>
<h3>🛠  Internal Updates</h3>
<ul>
<li>Update airframe-log to 23.7.4 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/486">xerial/snappy-java#486</a></li>
<li>Update airframe-log to 23.8.0 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/488">xerial/snappy-java#488</a></li>
<li>Update sbt-scalafmt to 2.5.2 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/500">xerial/snappy-java#500</a></li>
<li>Update airframe-log to 23.8.6 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/497">xerial/snappy-java#497</a></li>
<li>Update sbt-scalafmt to 2.5.1 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/499">xerial/snappy-java#499</a></li>
<li>Update airframe-log to 23.9.1 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/504">xerial/snappy-java#504</a></li>
<li>Update airframe-log to 23.9.2 by <a
href="https://github.com/xerial-bot"><code>@xerial-bot</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/509">xerial/snappy-java#509</a></li>
</ul>
<h3>Other Changes</h3>
<ul>
<li>Update NOTICE by <a
href="https://github.com/imsudiproy"><code>@imsudiproy</code></a> in <a
href="https://redirect.github.com/xerial/snappy-java/pull/492">xerial/snappy-java#492</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4">https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5"><code>9f8c3cf</code></a>
Merge pull request from GHSA-55g7-9cwv-5qfv</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/49d700175f18ed5f8c5d371b7c2f80c75979bd68"><code>49d7001</code></a>
Update airframe-log to 23.9.2 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/509">#509</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/1f07c3182c2dc89d4226e9a6d8945b8458870a0a"><code>1f07c31</code></a>
Update native libraries for f2e97f27be0dc6c691369040ba8a673bface484c (<a
href="https://redirect.github.com/xerial/snappy-java/issues/503">#503</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/13f8db197c4c44f0b6a02240c04205e8362b8e62"><code>13f8db1</code></a>
Update sbt to 1.9.6 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/505">#505</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/f2e97f27be0dc6c691369040ba8a673bface484c"><code>f2e97f2</code></a>
feature: Upgrade the internal snappy version to 1.1.10 (1.1.8 was
wrongly use...</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/98b22256fe4ed00ccaadd2dac98b1622563cc50b"><code>98b2225</code></a>
Update airframe-log to 23.9.1 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/504">#504</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/9f29b5c0f869d4027a4d5c1464907a79152013bf"><code>9f29b5c</code></a>
Update NOTICE (<a
href="https://redirect.github.com/xerial/snappy-java/issues/492">#492</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/55639b55de52e1c06ac9a7df6844f85313407955"><code>55639b5</code></a>
Update sbt-scalafmt to 2.5.1 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/499">#499</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/a5d81a6589360f299ae7ec35a79c317fd78e795d"><code>a5d81a6</code></a>
Update airframe-log to 23.8.6 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/497">#497</a>)</li>
<li><a
href="https://github.com/xerial/snappy-java/commit/6495da1af211e993cd0750c9c70b69d458c4a570"><code>6495da1</code></a>
Update scalafmt-core to 3.7.14 (<a
href="https://redirect.github.com/xerial/snappy-java/issues/501">#501</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/xerial/snappy-java/compare/v1.1.10.3...v1.1.10.4">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.xerial.snappy:snappy-java&package-manager=gradle&previous-version=1.1.10.3&new-version=1.1.10.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)

</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit dfecc00)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

opensearch-trigger-bot bot requested review from cliu123, cwperks, DarshitChanpura, davidlago, peternied, RyanL1997, stephen-crawford, reta and willyborankin as code owners

September 25, 2023 11:38

codecov bot commented Sep 25, 2023 •

edited

Loading

Codecov Report

Merging #3396 (0fb115d) into 2.x (a2daf9f) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##                2.x    #3396      +/-   ##
============================================
- Coverage     64.11%   64.10%   -0.01%     
  Complexity     3367     3367              
============================================
  Files           256      256              
  Lines         19515    19515              
  Branches       3297     3297              
============================================
- Hits          12512    12511       -1     
- Misses         5360     5362       +2     
+ Partials       1643     1642       -1

see 1 file with indirect coverage changes

reta approved these changes

View reviewed changes

willyborankin approved these changes

View reviewed changes

cwperks approved these changes

View reviewed changes

peternied merged commit 3841f14 into 2.x

99 of 101 checks passed

peternied deleted the backport/backport-3392-to-2.x branch

September 25, 2023 21:12

DarshitChanpura pushed a commit to DarshitChanpura/security that referenced this pull request


          [Backport 2.x] dependabot: bump org.xerial.snappy:snappy-java from 1.…

11b7092

…1.10.3 to 1.1.10.4 (opensearch-project#3396)

Backport dfecc00 from opensearch-project#3392.

Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

cwperks cwperks approved these changes

reta reta approved these changes

willyborankin willyborankin approved these changes

cliu123 Awaiting requested review from cliu123

DarshitChanpura Awaiting requested review from DarshitChanpura DarshitChanpura is a code owner

davidlago Awaiting requested review from davidlago

peternied Awaiting requested review from peternied peternied is a code owner

RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

stephen-crawford Awaiting requested review from stephen-crawford

Labels

None yet