Commit 88a3d0d
authored
Update HttpCore5 to 5.4.3 and HttpClient5 to 5.5.2 (CVE-2026-54399) (#93)
#### Rationale
CVE-2026-54399 (HIGH 7.5) affects Apache HttpComponents Core5 before
5.4.3 (both httpcore5 and httpcore5-h2) via HTTP/1.1 message-parser
resource exhaustion. This library pinned httpcore5 5.3.6 and pulled
httpcore5-h2 5.3.6 transitively - both flagged by LabKey Server's OWASP
Dependency Check. Fixing here is the root-cause fix so downstream
consumers (labkey-api-jdbc, LabKey Server) inherit the patched versions.
#### Related Pull Requests
* labkey-api-jdbc and LabKey Server PRs to follow once 7.3.0 is released
#### Changes
* Bump httpcore5 5.3.6 -> 5.4.3 (CVE-2026-54399)
* Declare httpcore5-h2 explicitly at 5.4.3 (was transitive at 5.3.6,
same CVE)
* Align httpclient5 5.5.1 -> 5.5.2 with LabKey Server's proven pairing
* Add CHANGELOG entry under 7.3.0-SNAPSHOT1 parent 5131897 commit 88a3d0d
3 files changed
Lines changed: 5 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
| 6 | + | |
6 | 7 | | |
7 | 8 | | |
8 | 9 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
76 | 76 | | |
77 | 77 | | |
78 | 78 | | |
| 79 | + | |
| 80 | + | |
79 | 81 | | |
80 | 82 | | |
81 | 83 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
16 | | - | |
| 15 | + | |
| 16 | + | |
17 | 17 | | |
18 | 18 | | |
19 | 19 | | |
| |||
0 commit comments