Skip to content

fix: Upgrade msgpack-core to 0.9.11 to fix CVE-2023-41915#248

Merged
jakubuid merged 3 commits intodevelopfrom
fix/upgrade-msgpack-core-0.9.11
Jan 12, 2026
Merged

fix: Upgrade msgpack-core to 0.9.11 to fix CVE-2023-41915#248
jakubuid merged 3 commits intodevelopfrom
fix/upgrade-msgpack-core-0.9.11

Conversation

@jakubuid
Copy link
Collaborator

@jakubuid jakubuid commented Jan 9, 2026

Summary

This PR upgrades org.msgpack:msgpack-core from 0.9.1 to 0.9.11 to fix a security vulnerability.

Security Fix

  • CVE: CVE-2023-41915
  • Type: Denial of Service vulnerability
  • Affected Version: 0.9.1
  • Fixed Version: 0.9.11

Changes

  • Updated dependency in protocol/sign/build.gradle.kts
  • Upgraded from 0.9.1 to 0.9.11 (latest stable version in 0.9.x series)

Compatibility

The upgrade is backward compatible. The code uses standard MessagePack APIs that are stable across 0.9.x versions.

Testing

  • Run existing tests to verify compatibility
  • Verify the vulnerability is resolved

@jakubuid
fix: upgrade msgpack-core from 0.9.1 to 0.9.11 to fix CVE-2023-41915
fe6a849 
- Upgraded org.msgpack:msgpack-core from 0.9.1 to 0.9.11
- Fixes CVE-2023-41915 (Denial of Service vulnerability)
- Latest stable version in 0.9.x series
@claude
Copy link

claude bot commented Jan 9, 2026
edited
Loading

Claude finished @jakubuid's task in 50s —— View job

Code Review: msgpack-core Security Upgrade

✅ No issues found

Review Summary

The PR correctly upgrades org.msgpack:msgpack-core from 0.9.1 to 0.9.11 to address CVE-2023-41915 (DoS vulnerability).

Verified:

  • Dependency declaration updated in protocol/sign/build.gradle.kts:105
  • This is the only location declaring the msgpack-core dependency
  • The library is actively used in Algorand.kt for MessagePack serialization/deserialization of Algorand transactions
  • Version 0.9.11 is a stable patch release that fixes the security vulnerability
  • Change is minimal and focused on the security fix

Automated Checks

✅ No external domain URLs detected
✅ No workflow security issues detected
✅ No cache-control issues detected
✅ No architecture violations detected

@claude
Copy link

claude bot commented Jan 9, 2026
edited
Loading

Claude finished @jakubuid's task in 54s —— View job

🔄 Incremental Review Complete

Tasks

  • Read changed files to understand new changes
  • Review dependency upgrade
  • Review test changes
  • Run automated checks
  • Report findings

Review Summary

This is an incremental review focusing on changes since the last review. The PR adds a new parameter (requests) to SessionProposeParams constructor calls in tests, adds a default value for proposalRequestsResponses in ApproveSessionUseCase, and reformats test code for better readability.

Changes since last review:

  1. Dependency upgrade: msgpack-core 0.9.1 → 0.9.11 (no change from previous review)
  2. NEW: Added requests = null parameter to test constructors
  3. NEW: Added default value = null for proposalRequestsResponses parameter in ApproveSessionUseCaseInterface
  4. NEW: Code formatting improvements in test files

✅ No new issues found in latest commits

Automated Checks

✅ No external domain URLs detected
✅ No workflow security issues detected
✅ No cache-control issues detected
✅ No architecture violations detected

@claude
Copy link

claude bot commented Jan 12, 2026
edited
Loading

Claude finished @jakubuid's task in 1m 32s —— View job

Tasks

  • Get git diff to understand changes since develop
  • Read changed files
  • Review changes for issues
  • Run automated checks
  • Report findings

🔄 Incremental Review: Complete

Changes Since Last Review

This review covers commits fe6a849bd, cce60c155, and 74c3cb6ba:

  1. Dependency upgrade: msgpack-core 0.9.1 → 0.9.11 (unchanged from previous reviews)
  2. Test parameter updates: Added requests = null parameter to SessionProposeParams constructor calls across test files
  3. Default parameter: Added proposalRequestsResponses: EngineDO.ProposalRequestsResponses? = null default value in ApproveSessionUseCaseInterface:185
  4. Code formatting: Improved test readability in GenerateApprovedNamespacesUtilsTest.kt (~526 lines of formatting changes)
  5. ProGuard rules: Added msgpack-core warning suppression rules to 4 sample app ProGuard files

Review

✅ No new issues found in latest commits

The changes are maintenance updates that improve code quality:

  • Test parameter additions maintain backward compatibility with optional requests parameter
  • ProGuard rules correctly suppress expected sun.nio.ch.** warnings for msgpack-core on Android (JVM-specific APIs not available on Android)
  • Code formatting changes in tests improve readability without altering behavior

Automated Checks

✅ No external domain URLs detected
✅ No workflow security issues detected
✅ No cache-control issues detected
✅ No architecture violations detected

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jakubuid jakubuid merged commit 4bfdea8 into develop Jan 12, 2026
17 of 20 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Jan 12, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@arein arein arein approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jakubuid @arein