Bump reactor-netty from 1.2.18 to 1.3.6 and Netty to 4.2.15.Final#1874
Bump reactor-netty from 1.2.18 to 1.3.6 and Netty to 4.2.15.Final#1874Yavor16 wants to merge 4 commits into
Conversation
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: No Jira key in PR description — OSS repo; ticket ID intentionally omitted per security boundary. The corresponding change is tracked in the proprietary xsa PR.
Code ReviewNo code-review findings (confidence ≥ 80). SecurityNo issues found. The PR preserves the existing Netty 4.1.135.Final CVE-2026-42583 (Lz4FrameDecoder) mitigation, keeps the reactor-netty family version-aligned via the new managed pins (no mixed-version split), and touches no application code (no injection/auth/deserialization/SSRF/credential surfaces). SonarCloudQuality gate: UNKNOWN — the "Build and analyze" SonarCloud job is still No SonarCloud code annotations surfaced. The only check-runs annotation is a non-Sonar GitHub Actions infra warning (Node.js 20 deprecation on Dependency CVEs✅ No new CVEs introduced by this PR (pre-existing CVEs in the dependency tree are not listed). OWASP Dependency-Check 11.1.1, 12 modules per side. Head vs base (merge-base = current master tip) both have 91 distinct (CVE, artifact) pairs ≥ 7.0; net-new on head = 0 (confirmed two ways). Delta scanned: reactor-netty 1.2.18 → 1.3.6 plus new reactor-netty-core/http pins (all 1.3.6); netty stays 4.1.135.Final.
|
Raise the managed reactor-netty version and add explicit managed pins for reactor-netty-core and reactor-netty-http so every reactor-netty artifact resolves to a single consistent version instead of leaving the core/http submodules floating at the cloudfoundry-client transitive version. Removes the stale property comment that warned against 1.3.x. JIRA:LMCROSSITXSADEPLOY-3410
reactor-netty 1.3.x requires Netty 4.2.x. Align the pinned netty.version property with the already-bumped reactor-netty 1.3.6 so the entire Netty artifact set resolves to a single consistent version (4.2.15.Final). The CVE-2026-42583 fix present in the previous 4.1.x pin is also included in 4.2.15.Final. JIRA:LMCROSSITXSADEPLOY-3410
e2c5a4f to
d5cd758
Compare
Yavor16
left a comment
There was a problem hiding this comment.
Automated code review by MTA Quality Agent — 1 finding(s).
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: LMCROSSITXSADEPLOY-3410 — Migrate to reactory-netty 1.3.x
Code Review1 finding(s): 1 posted inline. Security
SonarCloud
Quality gate: UNKNOWN (analysis still running) The "Build and analyze" job (which includes SonarCloud analysis) has not completed yet — it is still Dependency CVEs✅ No new CVEs introduced by this PR (pre-existing CVEs in the dependency tree are not listed). The PR bumps |
…ITXSADEPLOY-3410 JIRA:LMCROSSITXSADEPLOY-3410
Yavor16
left a comment
There was a problem hiding this comment.
Automated code review by MTA Quality Agent — 1 finding(s).
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: LMCROSSITXSADEPLOY-3410 — Migrate to reactory-netty 1.3.x
Code Review1 finding(s): 1 posted inline. SecurityNo issues found. No exploitable security vulnerabilities were introduced by this diff — no credential exposure, no new attack surface, no auth/deserialization changes. Two informational observations for the author to confirm before merge:
SonarCloud
Quality gate: UNKNOWN — analysis still running. The "Build and analyze" check run (which includes SonarCloud analysis) is still Dependency CVEs⏭️ CVE scan skipped on this review-fix re-run — dependencies were scanned on the initial quality run. |
…ment JIRA:LMCROSSITXSADEPLOY-3410
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: LMCROSSITXSADEPLOY-3410 — Migrate to reactory-netty 1.3.x
Code ReviewNo code-review findings (confidence ≥ 80). SecurityNo issues found. This is a dependency-version and comment-only SonarCloud
Quality gate: UNKNOWN — analysis still running. The "Build and analyze" check run (which includes SonarCloud analysis) is still Dependency CVEs⏭️ CVE scan skipped on this review-fix re-run — dependencies were scanned on the initial quality run. |
|



Description:
Migrate to the reactor-netty 1.3.x line by bumping reactor-netty from 1.2.18 to 1.3.6, and align the transitive Netty stack to 4.2.15.Final so the runtime is consistent with what reactor-netty 1.3.6 expects. The Netty override also picks up the fix for CVE-2026-42583 (Lz4FrameDecoder resource exhaustion).
What changed
reactor-netty.versionbumped1.2.18→1.3.6.netty.versionbumped4.1.135.Final→4.2.15.Finalto match the Netty baseline required by reactor-netty 1.3.x and to pick up the CVE-2026-42583 fix.dependencyManagemententries forreactor-netty-coreandreactor-netty-http, pinned to${reactor-netty.version}, so the split reactor-netty artifacts resolve to a single consistent version.Notes for the reviewer
Issue:
Jira: LMCROSSITXSADEPLOY-3410