-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump xstream from 1.4.19 to 1.4.20 #30187
Bump xstream from 1.4.19 to 1.4.20 #30187
Conversation
Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.20. - [Release notes](https://github.com/x-stream/xstream/releases) - [Commits](https://github.com/x-stream/xstream/commits) --- updated-dependencies: - dependency-name: com.thoughtworks.xstream:xstream dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
This comment has been minimized.
This comment has been minimized.
This fixes two CVEs (among other things): http://x-stream.github.io/changes.html#1.4.20 Seems we can now remove our https://github.com/quarkusio/quarkus/blob/main/test-framework/junit5/src/main/java/io/quarkus/test/junit/internal/OptionalConverter.java due to x-stream/xstream#293 WDYT @geoand? |
Sounds good to me! Would you like to push a new commit into this PR? |
Yeah, I'll squeeze that in. |
Done, |
Backporting because of the CVEs. |
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.15.2.Final` -> `2.15.3.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.15.2.Final` -> `2.15.3.Final` | --- ### Release Notes <details> <summary>quarkusio/quarkus</summary> ### [`v2.15.3.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.15.3.Final) [Compare Source](quarkusio/quarkus@2.15.2.Final...2.15.3.Final) ##### Complete changelog - [#​30255](quarkusio/quarkus#30255) - Introduce a JSON Stream parser for the reactive rest client - [#​30242](quarkusio/quarkus#30242) - Throw an IllegalStateException with basic info about the provider that failed to provide a resource - [#​30227](quarkusio/quarkus#30227) - SmallRye GraphQL 1.9.1/2.0.1 + config property to control Federation - [#​30218](quarkusio/quarkus#30218) - OIDC documentation fixes - [#​30200](quarkusio/quarkus#30200) - Ensure that Kotlin implementation of QuarkusApplication works properly - [#​30195](quarkusio/quarkus#30195) - Log graphql.execution.AbortExecutionException when it occurs - [#​30190](quarkusio/quarkus#30190) - 2.15.2.Final breaks command mode with main class extends from QuarkusApplication in kotlin - [#​30187](quarkusio/quarkus#30187) - Bump xstream from 1.4.19 to 1.4.20 - [#​30183](quarkusio/quarkus#30183) - Fixing typos in security overview doc - [#​30177](quarkusio/quarkus#30177) - Properly handle SSE comments in RESTEasy Reactive client and server code - [#​30172](quarkusio/quarkus#30172) - Codestarts - Fix flattening of log levels - [#​30169](quarkusio/quarkus#30169) - NullPointerException when sending SSE with comment only - [#​30161](quarkusio/quarkus#30161) - Align behavior for getDeferredIdentity and getIdentity in TestIdentityAssociation - [#​30160](quarkusio/quarkus#30160) - Different behavior in TestIdentityAssociation for getDeferredIdentity and getIdentity - [#​30157](quarkusio/quarkus#30157) - Gradle quarkusDev: don't use test classes dir for app classes - [#​30155](quarkusio/quarkus#30155) - Show how to verify smallrye-jwt issuer in a shared network - [#​30154](quarkusio/quarkus#30154) - Remove remaining references to javax classes - [#​30152](quarkusio/quarkus#30152) - Improve error handling of AbortExecutionException in smallrye-graphql extension - [#​30146](quarkusio/quarkus#30146) - Properly segregate Json MessageBodyReader/Writer classes for server and client - [#​30145](quarkusio/quarkus#30145) - GraphQL federation directives, which allow multiple values, do not match Apollo contract - [#​30142](quarkusio/quarkus#30142) - When disabling name and version for label selectod in k8s, don't remove from labels - [#​30138](quarkusio/quarkus#30138) - Keycloak Dev Services - [#​30132](quarkusio/quarkus#30132) - Register REST Client body parameters for reflection - [#​30119](quarkusio/quarkus#30119) - Enable/disable GraphQL Federation automatically (+ add a config property for it) - [#​30100](quarkusio/quarkus#30100) - Setting `add-version-to-label-selectors: false` removes the app.kubernetes.io/version label - [#​30078](quarkusio/quarkus#30078) - Quarkus Kotlin Native Reactive REST Client not working properly - [#​30061](quarkusio/quarkus#30061) - Adding Kotlin Tests Breaks Kotlin/Java project - [#​30044](quarkusio/quarkus#30044) - Resteasy Reactive Rest Client fails to re-construct large chunks of streamed json (stream+json) and fails deserialization - [#​29998](quarkusio/quarkus#29998) - Bump to smallrye-config 2.13.1 - [#​29918](quarkusio/quarkus#29918) - smallrye-config: Converter<Int> throws IllegalStateException - [#​29609](quarkusio/quarkus#29609) - Remove Reflection replacements, now supported by GraalVM </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.15.3.Final`](quarkusio/quarkus-platform@2.15.2.Final...2.15.3.Final) [Compare Source](quarkusio/quarkus-platform@2.15.2.Final...2.15.3.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Bumps xstream from 1.4.19 to 1.4.20.
Commits
You can trigger a rebase of this PR by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)