Skip to content

Releases: exasol/cloud-storage-extension

2.9.6 Fixed vulnerabilities CVE-2026-42587, CVE-2026-45205, CVE-2026-41417, CVE-2026-42580, CVE-2026-42581, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-0636, CVE-2026-5588, CVE-2026-5598, CVE-2026-42578, CVE-2026-42582, CVE-2026-42583, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-42577

12 Jun 10:02
@github-actions github-actions
2.9.6
fa00a18
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.6 Fixed vulnerabilities CVE-2026-42587, CVE-2026-45205, CVE-2026-41417, CVE-2026-42580, CVE-2026-42581, CVE-2026-42584, CVE-2026-42585, CVE-2026-42587, CVE-2026-0636, CVE-2026-5588, CVE-2026-5598, CVE-2026-42578, CVE-2026-42582, CVE-2026-42583, CVE-2026-34477, CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-42577 Latest
Latest

This release fixes the following 19 vulnerabilities:

CVE-2026-42587 (CWE-400) in dependency io.netty:netty-codec-http2:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://guide.sonatype.com/vulnerability/CVE-2026-42587 for details

References

CVE-2026-45205 (CWE-674) in dependency org.apache.commons:commons-configuration2:jar:2.11.0:compile

Uncontrolled Recursion vulnerability in Apache Commons.

When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles.
This issue affects Apache Commons: from 2.2 before 2.15.0.

Users are recommended to upgrade to version 2.15.0, which fixes the issue.

References

CVE-2026-41417 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

References

CVE-2026-42580 (CWE-190) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References

CVE-2026-42581 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References

CVE-2026-42584 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message�s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References

CVE-2026-42585 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

References

CVE-2026-42587 (CWE-400) in dependency io.netty:netty-codec-http:jar:4.2.12.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://guide.sonatype.com/vulnerability/CVE-2026-42587 for details

References

CVE-2026-0636 (CWE-90) in dependency org.bouncycastle:bcprov-jdk18on:jar:1.78.1:compile

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules).

This vulnerability is associated with program files LDAPStoreHelper.

This issue affects BC-JAVA: from 1.74 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84.

References

CVE-2026-5588 (CWE-327) in dependency org.bouncycastle:bcprov-jdk18on:jar:1.78.1:compile

Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modules).

This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java, JcaContentVerfierProviderBuilder.Java.

This issue affects BC-JAVA: from 1.67 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11; BCPIX-LTS: from 2.73.7 before 2.73.11.

References

Read more
Assets 8
Loading

2.9.5 Migrate from Scala to Java

18 May 07:57
@github-actions github-actions
2.9.5
2699a8a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.5 Migrate from Scala to Java

This release migrates the project from Scala to Java to simplify maintenance and reduce dependencies.

As part of this endeavor, we updated the parquet-io-java dependency to 2.0.16, which is now also pure Java.

This should not be a breaking change, so we updated only the patch number of the release. It is a major refactoring though. We ran all tests, before and after we migrated them.
If you read this release letter, we would love to get feedback from you. Does the migrated code run as fast and reliable as before in your production environment?

You can use GitHub issues in this repository or a mail (opensource@exasol.com) to tell us your experiences!

Refactoring

  • #393: Migrate production code from Scala to Java

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Added org.slf4j:slf4j-api:2.0.18

Test Dependency Updates

  • Removed com.dimafeng:testcontainers-scala-scalatest_2.13:0.41.4
  • Updated com.exasol:extension-manager-integration-test-java:0.5.13 to 0.5.19
  • Removed org.junit.jupiter:junit-jupiter-api:5.10.3
  • Added org.junit.jupiter:junit-jupiter:5.10.3
  • Removed org.scalatestplus:scalatestplus-mockito_2.13:1.0.0-SNAP5
  • Removed org.scalatest:scalatest_2.13:3.3.0-SNAP4
  • Updated org.testcontainers:localstack:1.20.3 to 1.21.4

Plugin Dependency Updates

  • Removed com.diffplug.spotless:spotless-maven-plugin:2.43.0
  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.6 to 2.0.7
  • Updated com.exasol:project-keeper-maven-plugin:5.4.6 to 5.6.2
  • Removed io.github.evis:scalafix-maven-plugin_2.13:0.1.7_0.10.3
  • Updated io.github.git-commit-id:git-commit-id-maven-plugin:9.0.2 to 10.0.0
  • Removed net.alchim31.maven:scala-maven-plugin:4.9.1
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.4 to 3.5.5
  • Updated org.apache.maven.plugins:maven-resources-plugin:3.4.0 to 3.5.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.4 to 3.5.5
  • Removed org.scalastyle:scalastyle-maven-plugin:1.0.0
  • Removed org.scalatest:scalatest-maven-plugin:2.2.0
Loading

2.9.4 Update dependencies to fix CVEs

01 Apr 14:37
@github-actions github-actions
2.9.4
f90dd67
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.4 Update dependencies to fix CVEs

This release updates the project dependencies to fix the following cves:

Security

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Updated org.apache.avro:avro:1.12.0 to 1.12.1
  • Updated org.apache.orc:orc-core:1.9.7 to 1.9.8
  • Updated org.apache.zookeeper:zookeeper:3.9.4 to 3.9.5

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.5 to 2.0.6
  • Updated com.exasol:project-keeper-maven-plugin:5.4.5 to 5.4.6
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.14.1 to 3.15.0
  • Updated org.codehaus.mojo:versions-maven-plugin:2.20.1 to 2.21.0
Loading

2.9.3 Upgrade protobuf dependency

12 Feb 10:24
@github-actions github-actions
2.9.3
0400bd5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.3 Upgrade protobuf dependency

This release upgrades protobuf-java dependency to fix the HDFS access issue.

Features

  • #367: java.lang.IllegalAccessError: ... tried to access method 'org.apache.hadoop.thirdparty.protobuf.LazyStringArrayList

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Added com.google.protobuf:protobuf-java-util:3.25.8
  • Updated com.google.protobuf:protobuf-java:3.25.5 to 3.25.8

Runtime Dependency Updates

  • Updated ch.qos.logback:logback-classic:1.5.23 to 1.5.29
  • Updated ch.qos.logback:logback-core:1.5.23 to 1.5.29

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:5.4.4 to 5.4.5
Loading

2.9.2 Spark upgrade, documentation fixes and CVEs

09 Jan 04:57
@github-actions github-actions
2.9.2
8bf4a09
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.2 Spark upgrade, documentation fixes and CVEs

This release adds documentation about delta files import error workaround.
In addition we upgrade spark version to the latest 3.5.x release and updated
dependencies to fix CVEs in transitive dependencies.

Features

  • #365: Class import error on delta files

Security

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Added at.yawk.lz4:lz4-java:1.10.2
  • Removed io.airlift:aircompressor:0.27
  • Removed io.delta:delta-core_2.13:2.4.0
  • Added io.delta:delta-spark_2.13:3.3.2
  • Updated org.apache.logging.log4j:log4j-1.2-api:2.24.1 to 2.25.3
  • Updated org.apache.logging.log4j:log4j-api:2.24.1 to 2.25.3
  • Updated org.apache.logging.log4j:log4j-core:2.24.1 to 2.25.3
  • Updated org.apache.orc:orc-core:1.9.5 to 1.9.7
  • Updated org.apache.spark:spark-sql_2.13:3.4.1 to 3.5.7
  • Updated org.apache.zookeeper:zookeeper:3.9.3 to 3.9.4
  • Updated org.glassfish.jersey.containers:jersey-container-servlet-core:2.45 to 2.47
  • Updated org.glassfish.jersey.containers:jersey-container-servlet:2.45 to 2.47
  • Updated org.glassfish.jersey.core:jersey-client:2.45 to 2.47
  • Updated org.glassfish.jersey.core:jersey-common:2.45 to 2.47
  • Updated org.glassfish.jersey.core:jersey-server:2.45 to 2.47
  • Updated org.glassfish.jersey.inject:jersey-hk2:2.45 to 2.47
  • Added org.lz4:lz4-java:1.8.1

Runtime Dependency Updates

  • Updated ch.qos.logback:logback-classic:1.5.16 to 1.5.23
  • Updated ch.qos.logback:logback-core:1.5.16 to 1.5.23

Plugin Dependency Updates

  • Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.3 to 0.4.4
  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.4 to 2.0.5
  • Updated com.exasol:project-keeper-maven-plugin:5.2.3 to 5.4.4
  • Updated com.exasol:quality-summarizer-maven-plugin:0.2.0 to 0.2.1
  • Updated io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1 to 9.0.2
  • Updated org.apache.maven.plugins:maven-artifact-plugin:3.6.0 to 3.6.1
  • Updated org.apache.maven.plugins:maven-assembly-plugin:3.7.1 to 3.8.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.14.0 to 3.14.1
  • Updated org.apache.maven.plugins:maven-enforcer-plugin:3.5.0 to 3.6.2
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.3 to 3.5.4
  • Updated org.apache.maven.plugins:maven-jar-plugin:3.4.2 to 3.5.0
  • Updated org.apache.maven.plugins:maven-resources-plugin:3.3.1 to 3.4.0
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.3 to 3.5.4
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.7.0 to 1.7.3
  • Updated org.codehaus.mojo:versions-maven-plugin:2.18.0 to 2.20.1
  • Updated org.jacoco:jacoco-maven-plugin:0.8.13 to 0.8.14
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.1.0.4751 to 5.5.0.6356
Loading

2.9.1 Fixed vulnerabilities in netty

22 Sep 13:20
@github-actions github-actions
2.9.1
167fa84
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.1 Fixed vulnerabilities in netty

This release fixes the following vulnerabilities:

CVE-2025-58057 (CWE-409) in dependency io.netty:netty-codec:jar:4.1.124.Final:runtime

netty-codec - Improper Handling of Highly Compressed Data (Data Amplification)

References

CVE-2025-58056 (CWE-444) in dependency io.netty:netty-codec-http:jar:4.1.124.Final:runtime

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

References

Security

  • #360: Fixed vulnerability CVE-2025-58057 in dependency io.netty:netty-codec:jar:4.1.124.Final:runtime
  • #362: Fixed vulnerability CVE-2025-58056 in dependency io.netty:netty-codec-http:jar:4.1.124.Final:runtime

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Removed io.netty:netty-codec-http2:4.1.124.Final
  • Updated software.amazon.awssdk:s3-transfer-manager:2.32.31 to 2.34.0
  • Updated software.amazon.awssdk:s3:2.32.31 to 2.34.0
Loading

2.9.0 Upgrade of hadoop libraries

01 Sep 10:43
@github-actions github-actions
2.9.0
3663ace
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.9.0 Upgrade of hadoop libraries

This version upgrades hadoop from 3.3.6 to the latest 3.4.1, which fixes several CVEs in transient dependencies and
leverages all the improvements the recent hadoop libs have.

Security fixes which were fixed:

CVE-2025-48924: org.apache.commons:commons-lang3:jar:3.17.0:compile

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

References

CVE-2025-53864: com.nimbusds:nimbus-jose-jwt:jar:9.47:compile

Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

References

CVE-2025-55163: io.netty:netty-codec-http2:jar:4.1.119.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

References

Features

  • #310: Upgrade spark and hadoop versions

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Added com.google.code.gson:gson:2.13.1
  • Updated io.netty:netty-codec-http2:4.1.119.Final to 4.1.124.Final
  • Updated org.apache.commons:commons-lang3:3.17.0 to 3.18.0
  • Updated org.apache.hadoop:hadoop-aws:3.3.6 to 3.4.1
  • Updated org.apache.hadoop:hadoop-azure-datalake:3.3.6 to 3.4.1
  • Updated org.apache.hadoop:hadoop-azure:3.3.6 to 3.4.1
  • Updated org.apache.hadoop:hadoop-common:3.3.6 to 3.4.1
  • Updated org.apache.hadoop:hadoop-hdfs-client:3.3.6 to 3.4.1
  • Updated org.apache.hadoop:hadoop-hdfs:3.3.6 to 3.4.1
  • Updated org.apache.orc:orc-core:1.9.6 to 1.9.5
  • Added software.amazon.awssdk:s3-transfer-manager:2.32.31
  • Added software.amazon.awssdk:s3:2.32.31

Plugin Dependency Updates

  • Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
  • Updated com.exasol:project-keeper-maven-plugin:5.1.0 to 5.2.3
Loading

2.8.8 CVE fixes in transitive dependencies on top of 2.8.7

05 Jun 09:40
@github-actions github-actions
2.8.8
97d7f06
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.8.8 CVE fixes in transitive dependencies on top of 2.8.7

Fixed two CVEs in transitive dependencies: CVE-2025-48734 and CVE-2025-47436.

Features

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Added commons-beanutils:commons-beanutils:1.11.0
  • Updated org.apache.orc:orc-core:1.9.5 to 1.9.6

Plugin Dependency Updates

  • Updated com.exasol:project-keeper-maven-plugin:5.0.0 to 5.1.0
  • Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
  • Removed io.github.zlika:reproducible-build-maven-plugin:0.17
  • Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
  • Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.2 to 3.5.3
  • Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
  • Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
  • Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751
Loading

2.8.7 Update test dependencies, added extra note in documentation

08 Apr 11:05
@github-actions github-actions
2.8.7
f1b3412
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.8.7 Update test dependencies, added extra note in documentation

Test dependencies updated, extra clarification added about curl parameters on extension upload.

Features

Dependency Updates

Cloud Storage Extension

Test Dependency Updates

  • Updated com.exasol:exasol-testcontainers:7.1.1 to 7.1.4

Plugin Dependency Updates

  • Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.2 to 0.4.3
  • Updated com.exasol:project-keeper-maven-plugin:4.5.0 to 5.0.0
  • Updated org.apache.maven.plugins:maven-compiler-plugin:3.13.0 to 3.14.0
  • Updated org.apache.maven.plugins:maven-install-plugin:3.1.3 to 3.1.4
  • Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
Loading

2.8.6 Security fixes in NPM components, netty upgrade

11 Mar 17:17
@github-actions github-actions
2.8.6
2ba1c3d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2.8.6 Security fixes in NPM components, netty upgrade

Fixed CVE-2024-4068 in braces

Security

Dependency Updates

Cloud Storage Extension

Compile Dependency Updates

  • Updated io.netty:netty-codec-http2:4.1.115.Final to 4.1.119.Final

Extension

Development Dependency Updates

  • Updated eslint:9.14.0 to 9.18.0
  • Updated @types/node:^22.9.1 to ^22.10.7
  • Updated typescript-eslint:^8.14.0 to ^8.20.0
  • Updated typescript:^5.6.3 to ^5.7.3
  • Updated esbuild:^0.24.0 to ^0.24.2
Loading