Skip to content

fix(deps): update dependency commons-codec:commons-codec to v1.20.0 #1097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency commons-codec:commons-codec to v1.20.0 #1097

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 10, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
commons-codec:commons-codec (source) 1.18.0 -> 1.20.0 age confidence

Release Notes

apache/commons-codec (commons-codec:commons-codec)

v1.20.0

The Apache Commons Codec team is pleased to announce the release of Apache Commons Codec 1.20.0.

The Apache Commons Codec component contains encoders and decoders for
formats such as Base16, Base32, Base64, digest, and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.

This is a feature and maintenance release. Java 8 or later is required.

Configuration

📅 Schedule: Branch creation - "every 3 weeks on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

vlsi
vlsi requested changes Nov 10, 2025
View reviewed changes
Copy link
Collaborator

@vlsi vlsi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a real reason to use commons-codec?
We should rather drop the dependency to avoid CVEs

@vlsi
Copy link
Collaborator

vlsi commented Nov 10, 2025
edited
Loading

Ah, it is used in transitive dependencies:

+--- com.google.http-client:google-http-client-apache-v2 -> 1.47.1
|    +--- com.google.http-client:google-http-client:1.47.1
|    |    +--- org.apache.httpcomponents:httpclient:4.5.14
|    |    |    +--- org.apache.httpcomponents:httpcore:4.4.16
|    |    |    +--- commons-logging:commons-logging:1.2
|    |    |    \--- commons-codec:commons-codec:1.11 -> 1.18.0

Unfortunately, httpclient4 is not supported, so there's no way to remove commons-codec dependency while http-client 5 already has removed commons-codec dependency.

@loosebazooka
Copy link
Member

loosebazooka commented Nov 10, 2025

there is a v5 pathway: https://github.com/googleapis/google-http-java-client/tree/main/google-http-client-apache-v5 , probably going to need to look into how to use that instead.

@renovate renovate bot force-pushed the renovate/commons-codec-commons-codec-1.x branch from 01972d4 to 375c59b Compare November 10, 2025 14:23
@loosebazooka
Copy link
Member

loosebazooka commented Nov 10, 2025

it seems like ideally we would just move off of google-http-client?

@renovate renovate bot force-pushed the renovate/commons-codec-commons-codec-1.x branch from 375c59b to f385a72 Compare November 12, 2025 19:48
@renovate renovate bot force-pushed the renovate/commons-codec-commons-codec-1.x branch from f385a72 to e20dcc7 Compare November 18, 2025 16:46
@vlsi
Copy link
Collaborator

vlsi commented Nov 18, 2025

If you are ok to move off google-http-client, then it might be a workable solution as well

@loosebazooka
Copy link
Member

loosebazooka commented Nov 18, 2025
edited
Loading

Google-http-client was convenient at the time (especially for oidc). But we have no attachment to it.

I have a half done branch just using apache http client directly. I'll see how that goes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vlsi vlsi vlsi requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vlsi @loosebazooka