Conversation
….20.0 to 1.39.0 Snyk has created this PR to upgrade com.google.oauth-client:google-oauth-client-jetty from 1.20.0 to 1.39.0. See this package in maven: com.google.oauth-client:google-oauth-client-jetty See this project in Snyk: https://app.snyk.io/org/or-QuUsyZrbWBirP6ZihBbkNA/project/e5a72a5e-f907-4048-814f-0bdc1e354b52?utm_source=github&utm_medium=referral&page=upgrade-pr
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
There was a problem hiding this comment.
Pull request overview
This PR upgrades the Google OAuth Client Jetty library from version 1.20.0 to 1.39.0 to address three security vulnerabilities in the transitive Jetty dependency: two high-severity issues (Privilege Escalation and Path Traversal) and one medium-severity Cryptographic Issues vulnerability.
Changes:
- Updated
project.oauth.versionfrom 1.20.0 to 1.39.0 - Changed empty
<compilerArgument></compilerArgument>tag to self-closing<compilerArgument/>tag
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <source>1.6</source> | ||
| <target>1.6</target> |
There was a problem hiding this comment.
The project is configured to compile with Java 1.6 source and target versions, but google-oauth-client-jetty version 1.39.0 requires Java 7 or higher. This will likely cause compilation failures. You need to update the source and target versions to at least 1.7 to be compatible with the upgraded dependency.
| @@ -15,7 +15,7 @@ | |||
| <project.youtube.analytics.version>v1-rev63-1.22.0</project.youtube.analytics.version> | |||
| <project.youtube.reporting.version>v1-rev10-1.22.0</project.youtube.reporting.version> | |||
| <project.http.version>1.20.0</project.http.version> | |||
There was a problem hiding this comment.
The google-http-client dependency (version 1.20.0) may be incompatible with the upgraded google-oauth-client-jetty (version 1.39.0). According to the Google OAuth Client library compatibility guidelines, version 1.39.0 typically requires google-http-client version 1.39.0 or compatible versions. Consider upgrading project.http.version to 1.39.0 or a compatible version to ensure proper interoperability between these dependencies.
| <project.http.version>1.20.0</project.http.version> | |
| <project.http.version>1.39.0</project.http.version> |
Snyk has created this PR to upgrade com.google.oauth-client:google-oauth-client-jetty from 1.20.0 to 1.39.0.
ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
The recommended version is 36 versions ahead of your current version.
The recommended version was released 10 months ago.
Issues fixed by the recommended upgrade:
SNYK-JAVA-ORGMORTBAYJETTY-1021919
SNYK-JAVA-ORGMORTBAYJETTY-6243615
SNYK-JAVA-ORGMORTBAYJETTY-173762
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information: