Skip to content

DAPR 1.6 uses Spring Boot Starter Web with vulnerability #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sujitp149 opened this issue Sep 15, 2022 · 4 comments
Closed

DAPR 1.6 uses Spring Boot Starter Web with vulnerability #782

sujitp149 opened this issue Sep 15, 2022 · 4 comments
Assignees
@artursouza
Labels
good first issue Good for newcomers P1

Comments

@sujitp149
Copy link

sujitp149 commented Sep 15, 2022
edited
Loading

Ask your question here

DAPR 1.6 uses spring-boot-starter-web/2.3.5.RELEASE which has vulnerability. Any plans to upgrade the Spring Boot Starter Web version without vulnerability as many organization don't allow any artifacts with open vulnerability ?

DAPR
@pravinpushkar
Copy link
Contributor

@sujitp149 Thanks for reporting this. We can try bumping the version to 2.7.3. Please feel free to submit a PR, we can see if that is breaking anything.

@rowi1de
Copy link

rowi1de commented Sep 22, 2022

Out of curiosity: why is spring-boot-starter-web included and not spring-boot-starter-webflux, as all methods seem to be non-blocking?

@artursouza
Copy link
Contributor

Out of curiosity: why is spring-boot-starter-web included and not spring-boot-starter-webflux, as all methods seem to be non-blocking?

Great point, I think we should offer webflux but it should probably be a new artifact so it does not break existing users.

@artursouza artursouza added good first issue Good for newcomers P1 labels Nov 7, 2022
@artursouza artursouza added this to the v1.8 milestone Nov 7, 2022
@tanvigour tanvigour mentioned this issue Nov 18, 2022
Closed
3 tasks
@artursouza artursouza self-assigned this Feb 1, 2023
@artursouza artursouza mentioned this issue Feb 2, 2023
Merged
3 tasks
@artursouza artursouza modified the milestones: v1.8, v1.9 Feb 3, 2023
@artursouza
Copy link
Contributor

I have added the PR above to the release. I will keep this open to confirm that it will really remove the vulnerability. If not, we will need to upgrade to a new major version in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artursouza artursouza

Labels
good first issue Good for newcomers P1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bumping spring-boot-starter-web to 2.7.5(latest)
4 participants
@artursouza @rowi1de @sujitp149 @pravinpushkar