Skip to content

[bot] Merge 26.7 to develop (Conflicts)#1446

Merged
github-actions[bot] merged 4 commits into
developfrom
fb_bot_merge_26.7
Jul 15, 2026
Merged

[bot] Merge 26.7 to develop (Conflicts)#1446
github-actions[bot] merged 4 commits into
developfrom
fb_bot_merge_26.7

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Automatic merge failed! Please merge 26.7 into fb_bot_merge_26.7 and resolve conflicts manually.

git fetch
git checkout fb_bot_merge_26.7
git reset --hard origin/develop
git merge 1496e57b6464d791fd79b22ef7d7abe21267db80 -m "Merge 26.7 to develop"

Resolve all conflicts (using IntelliJ or git mergetool)

git commit
git push --force

Approve all matching PRs simultaneously.
Approval will trigger automatic merge.
Verify all PRs before approving: https://internal.labkey.com/Scrumtime/Backlog/harvest-gitOpenPullRequests.view?branch=fb_bot_merge_26.7

labkey-willm and others added 3 commits July 9, 2026 10:00
## Rationale
LabKey Server's OWASP Dependency Check build is failing on develop with
124 findings, the bulk of them from a handful of vulnerable third-party
dependencies. This PR clears the findings that can be resolved by
version bumps/forces and suppresses two verified false positives.

this is a backport from develop

## Related Pull Requests
- #1438

## Changes
- Tomcat 11.0.22 -> 11.0.23: CVE-2026-53434 and CVE-2026-55276 (CRITICAL
9.1), plus CVE-2026-53404, CVE-2026-55955, CVE-2026-55956,
CVE-2026-50229
- httpcore5 5.4.2 -> 5.4.3, and a new httpcore5-h2 force at 5.4.3
(previously transitive at 5.3.6): CVE-2026-54399
- Jackson 2.21.4 -> 2.21.5 (jacksonVersion, jacksonDatabindVersion,
jacksonJaxrsBaseVersion): CVE-2026-54515
- Suppress classic httpcore 4.x for CVE-2026-54399 (the CVE is scoped to
HttpComponents Core 5.x; the 4.x line is EOL and unaffected)
- Suppress Kotlin runtime jars for CVE-2026-53914 (a Kotlin
build-cache-metadata deserialization flaw scored 6.7 MEDIUM by
JetBrains, not applicable to the shipped stdlib/reflect runtime jars)
- Update comments to document that apacheTomcatVersion is intentionally
held ahead of Spring Boot's managed Tomcat

<!-- list of standard tasks (remove this comment to enable)
## Tasks 📍
- [ ] Claude Code Review
- [ ] Manual Testing
- [ ] Test Automation
- [ ] Verify Fix
-->
….7.12 (#1442)

## Rationale
Ports the OWASP dependency-check CVE remediations from develop (PR
#1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The
26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2
resolving transitively to 5.3.6) and additionally CVE-2026-54291
(postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade
fixed in 42.7.12; develop was already on 42.7.12).

## Related Pull Requests
- #1441

## Changes
- Force `org.apache.httpcomponents.core5:httpcore5-h2` to
`httpcore5Version` (5.4.3), upgrading the transitive 5.3.6 past the
vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428).
- Bump `postgresqlDriverVersion` 42.7.11 -> 42.7.12 (CVE-2026-54291).
- Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x
artifact.

## Note on shaded copies
Shaded copies of these http5 libraries originate from labkey-api-jdbc
and are addressed separately.
@cnathe cnathe force-pushed the fb_bot_merge_26.7 branch from 18b51a6 to 806b2c9 Compare July 15, 2026 13:14
@github-actions github-actions Bot merged commit 806b2c9 into develop Jul 15, 2026
7 checks passed
@github-actions github-actions Bot deleted the fb_bot_merge_26.7 branch July 15, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants