Skip to content

build(crypto,rpc,http,event): bump bundled libs for security fixes#6747

Open
halibobo1205 wants to merge 1 commit intotronprotocol:developfrom
halibobo1205:dependcies/update
Open

build(crypto,rpc,http,event): bump bundled libs for security fixes#6747
halibobo1205 wants to merge 1 commit intotronprotocol:developfrom
halibobo1205:dependcies/update

Conversation

@halibobo1205
Copy link
Copy Markdown
Collaborator

@halibobo1205 halibobo1205 commented May 6, 2026

Upgrade bundled libraries in crypto, RPC, HTTP, and event/plugin-related components to newer patched versions to address known security vulnerabilities.

Changes:

Impact:

  • picks up upstream security patches in bundled dependencies
  • reduces exposure to known vulnerable library versions
  • no intended behavior changes beyond dependency upgrades

@halibobo1205
build(crypto,rpc,http,event): bump bundled libs for security fixes
0c0befc 
   1. bump bcprov-jdk18on from 1.79 to 1.84 fix CVE-2026-5598
   2. bump jetty from 9.4.57 to 9.4.58 fix CVE-2025-5115
   3. bump pf4j from 3.10.0 to 3.14.1 fix CVE-2025-70952
   4. bump grpc-java from 1.75 to 1.81 fix CVE-2026-33871
@halibobo1205 halibobo1205 added the topic:security dependency upgrade label May 6, 2026
@halibobo1205 halibobo1205 added this to the GreatVoyage-v4.8.2 milestone May 6, 2026
waynercheung
waynercheung approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@waynercheung waynercheung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

yanghang8612
yanghang8612 approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@yanghang8612 yanghang8612 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@0xbigapple
Copy link
Copy Markdown
Collaborator

0xbigapple commented May 6, 2026
edited
Loading

Thanks for the upgrade. One concern worth flagging:

9.4.58.v20250814 is the last Jetty line that still supports JDK 8, and it is a sponsored release for an End of Life version of Jetty — the 9.4.x branch is officially EOL. After this bump, the following CVEs remain unpatched on 9.4.x:

Future Jetty CVEs will keep landing in the same state. Worth opening a separate discussion to evaluate a longer-term replacement path. No objection to merging this PR — it still closes CVE-2025-5115.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yanghang8612 yanghang8612 yanghang8612 approved these changes

@Federico2014 Federico2014 Federico2014 approved these changes

@waynercheung waynercheung waynercheung approved these changes

@bladehan1 bladehan1 bladehan1 approved these changes

@0xbigapple 0xbigapple 0xbigapple approved these changes

@317787106 317787106 Awaiting requested review from 317787106

@3for 3for Awaiting requested review from 3for

@Sunny6889 Sunny6889 Awaiting requested review from Sunny6889

@xxo1shine xxo1shine Awaiting requested review from xxo1shine

Assignees

No one assigned

Labels

topic:security dependency upgrade

Projects

java-tron
Status: No status

Milestone

GreatVoyage-v4.8.2

Development

Successfully merging this pull request may close these issues.

7 participants

@halibobo1205 @0xbigapple @yanghang8612 @Federico2014 @waynercheung @bladehan1 @Sunny6889