Bump ring-jetty-adapter to 1.15.4 (Jetty 12.1.8) to address CVE-2026-2332

[ricry]

Summary

Bumps ring/ring-jetty-adapter from 1.15.3 to 1.15.4, which upgrades the
transitive Eclipse Jetty dependency from 12.1.0 to 12.1.8 — a version that
includes the fix for CVE-2026-2332.

Why

CVE-2026-2332 is an HTTP request smuggling vulnerability in Jetty's HTTP/1.1
parser, caused by improper parsing of quoted-string chunk extensions in chunked
transfer encoding (CWE-444). For the 12.1.x line, versions up to and including
12.1.6 are affected, and it is fixed in 12.1.7 and later.

server.http.jetty currently depends on ring/ring-jetty-adapter 1.15.3, which
pulls in Jetty 12.1.0 — within the affected range. ring/ring-jetty-adapter 1.15.4 depends on Jetty 12.1.8, which includes the fix.

Today, downstream Duct applications have to override Jetty in their own
dependency manifests (e.g. :override-deps in deps.edn) to pick up the fixed
parser. Bumping the adapter here lets every consumer of
org.duct-framework/server.http.jetty get the fixed Jetty by default, without
per-project overrides.

Changes

• deps.edn: ring/ring-jetty-adapter 1.15.3 → 1.15.4
• project.clj: same version bump

Testing

• Existing test suite passes: lein test
  → Ran 3 tests containing 22 assertions. 0 failures, 0 errors.
  (this repo has no :test alias in deps.edn, so use lein test;
  clj -M:test does not work here)
• Dependency tree shows the Jetty server modules (org.eclipse.jetty*) at 12.1.8
  (lein deps :tree | grep -i jetty)
• A Duct app using module.web + server.http.jetty boots and serves basic
  HTTP requests on Jetty 12.1.8
  → Verified with a minimal org.duct-framework/main app
  (module.web 0.13.4 + this branch's server.http.jetty via :local/root).
  clojure -M:duct --main boots, and curl -i http://127.0.0.1:3000/ returns
  HTTP/1.1 200 OK with Server: Jetty(12.1.8).

References

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2332
• Jetty security advisory: https://jetty.org/security.html
• GitLab advisory (jetty-http): https://advisories.gitlab.com/maven/org.eclipse.jetty/jetty-http/CVE-2026-2332/
• ring-jetty-adapter 1.15.4 (Clojars): https://clojars.org/ring/ring-jetty-adapter/versions/1.15.4

[weavejester]

Thanks! Can you change the commit message to:

Update ring-jetty-adapter to 1.15.4 (Jetty 12.1.8)

This makes the commit message more searchable (as other commits use "update" rather than "bump"), and keeps it 50 characters or under.

[ricry]

Done.

[weavejester]

Thanks! I notice that Cursor has added itself as a co-author, which doesn't seem correct for a commit that's just changing a version number of a dependency.

[ricry]

Thanks for spotting this! The Co-authored-by: Cursor trailer was added automatically by the tooling and isn't appropriate for a dependency version update. I've amended the commit to remove it and force-pushed the branch.

[weavejester]

Merged, thanks! I'll cut a release soon.