Skip to content

[BUG] v7.16.0 JAR contains outdated dependencies despite PR #21980 being merged #22168

New issue
New issue
Open
Open
[BUG] v7.16.0 JAR contains outdated dependencies despite PR #21980 being merged#22168
Labels
Issue: Bug
@jwson-automation

Description

@jwson-automation
jwson-automation
opened on Oct 17, 2025

Bug Report Checklist

  • Have you provided a full/minimal spec to reproduce the issue?
  • [N/A] Have you validated the input using an OpenAPI validator?
  • Have you tested with the latest master to confirm the issue still exists?
  • Have you searched for related issues/PRs?
  • What's the actual output vs expected output?
  • [Optional] Sponsorship to speed up the bug fix or feature request
Description

The v7.16.0 release contains outdated dependencies in the JAR file despite PR #21980 being merged and mentioned in the release notes. This causes security vulnerabilities to persist in the released artifact even though they were fixed in the source code.

Security scanners (grype, syft) detect the following vulnerabilities in openapi-generator-cli-7.16.0.jar:

openapi-generator version

v7.16.0 (released September 28, 2025)

This is NOT a regression - it appears to be a build/release process issue where the dependency updates from PR #21980 (merged September 16, 2025) were not properly included in the JAR artifact.

OpenAPI declaration file content or url

N/A - This is not related to any specific OpenAPI spec. The issue is with the JAR artifact itself.

Generation Details
# Using openapi-generator-cli via Dart pub
dart pub global activate openapi_generator_cli

# The JAR is automatically downloaded from Maven Central:
# https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.16.0/openapi-generator-cli-7.16.0.jar
Steps to reproduce
  1. Download the v7.16.0 JAR:
curl -L -o openapi-generator-cli-7.16.0.jar \
  https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.16.0/openapi-generator-cli-7.16.0.jar
  1. Check the commons-lang3 version inside the JAR:
unzip -p openapi-generator-cli-7.16.0.jar \
  META-INF/maven/org.apache.commons/commons-lang3/pom.properties | grep version

Expected output:

version=3.18.0

Actual output:

version=3.12.0
  1. Verify with security scanner:
syft openapi-generator-cli-7.16.0.jar -o json > sbom.json
grype sbom:sbom.json | grep -E "commons-lang3|logback-core"

Output shows vulnerabilities:

commons-lang3  3.12.0  3.18.0  java-archive  GHSA-j288-q9x7-2f5v  Medium
logback-core   1.2.13  1.3.15  java-archive  GHSA-pr98-23f8-jwxv  Medium
logback-core   1.2.13  1.3.15  java-archive  GHSA-6v67-2wr5-gvf4  Low
Related issues/PRs
Suggest a fix

The issue appears to be in the Maven build/release process. Possible causes:

  1. Wrong commit tagged: The v7.16.0 tag might point to a commit before PR Update commons related dependencies to newer versions #21980 was merged
  2. Maven dependency resolution issue: The POM might specify the correct version, but Maven resolved to an older cached version during build
  3. Shaded JAR not rebuilt: If using maven-shade-plugin, the shaded JAR might not have been properly rebuilt

Suggested solutions:

  1. Verify the v7.16.0 tag points to the correct commit (should be after commit from PR Update commons related dependencies to newer versions #21980)
  2. Check pom.xml in v7.16.0 tag to confirm the dependency versions are correct
  3. Rebuild and republish v7.16.0 with a clean Maven cache, or
  4. Include the fix in v7.17.0 with proper verification of dependency versions in the final JAR

Verification command for future releases:

# Extract and verify all dependency versions
unzip -l openapi-generator-cli-${VERSION}.jar | grep "META-INF/maven" | grep "pom.properties"

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue: Bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions