Bump reactor-netty from 1.2.18 to 1.3.6 and Netty to 4.2.15.Final#1874
Bump reactor-netty from 1.2.18 to 1.3.6 and Netty to 4.2.15.Final#1874Yavor16 wants to merge 2 commits into
Conversation
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: No Jira key in PR description — OSS repo; ticket ID intentionally omitted per security boundary. The corresponding change is tracked in the proprietary xsa PR.
Code ReviewNo code-review findings (confidence ≥ 80). SecurityNo issues found. The PR preserves the existing Netty 4.1.135.Final CVE-2026-42583 (Lz4FrameDecoder) mitigation, keeps the reactor-netty family version-aligned via the new managed pins (no mixed-version split), and touches no application code (no injection/auth/deserialization/SSRF/credential surfaces). SonarCloudQuality gate: UNKNOWN — the "Build and analyze" SonarCloud job is still No SonarCloud code annotations surfaced. The only check-runs annotation is a non-Sonar GitHub Actions infra warning (Node.js 20 deprecation on Dependency CVEs✅ No new CVEs introduced by this PR (pre-existing CVEs in the dependency tree are not listed). OWASP Dependency-Check 11.1.1, 12 modules per side. Head vs base (merge-base = current master tip) both have 91 distinct (CVE, artifact) pairs ≥ 7.0; net-new on head = 0 (confirmed two ways). Delta scanned: reactor-netty 1.2.18 → 1.3.6 plus new reactor-netty-core/http pins (all 1.3.6); netty stays 4.1.135.Final.
|
Raise the managed reactor-netty version and add explicit managed pins for reactor-netty-core and reactor-netty-http so every reactor-netty artifact resolves to a single consistent version instead of leaving the core/http submodules floating at the cloudfoundry-client transitive version. Removes the stale property comment that warned against 1.3.x. JIRA:LMCROSSITXSADEPLOY-3410
reactor-netty 1.3.x requires Netty 4.2.x. Align the pinned netty.version property with the already-bumped reactor-netty 1.3.6 so the entire Netty artifact set resolves to a single consistent version (4.2.15.Final). The CVE-2026-42583 fix present in the previous 4.1.x pin is also included in 4.2.15.Final. JIRA:LMCROSSITXSADEPLOY-3410
e2c5a4f to
d5cd758
Compare
|
Yavor16
left a comment
There was a problem hiding this comment.
Automated code review by MTA Quality Agent — 1 finding(s).
| <reactor-netty.version>1.2.18</reactor-netty.version> | ||
| <!-- Override Netty version to fix CVE-2026-42583 (Lz4FrameDecoder resource exhaustion) --> | ||
| <netty.version>4.1.135.Final</netty.version> | ||
| <reactor-netty.version>1.3.6</reactor-netty.version> |
There was a problem hiding this comment.
Severity: IMPORTANT · Confidence: 82
The comment removing the direct-memory OOM workaround note is silent about whether the regression was actually fixed upstream in reactor-netty 1.3.x. The original comment <!--reactor netty 1.3.x uses direct memory leading to OOM errors--> was a deliberate guard against upgrading past 1.2.x. Upgrading to 1.3.6 without any reference to the upstream fix risks reintroducing OOM in production under heap-limited CF deployments. The PR description or a code comment should cite the upstream reactor-netty issue/commit that resolved the direct-memory problem, so future maintainers understand the constraint was intentionally lifted.
Evidence: <reactor-netty.version>1.3.6</reactor-netty.version>
Fix: Add an inline comment documenting that the direct-memory OOM issue tracked in the original comment was resolved upstream (cite the reactor-netty issue/release), e.g.:
| <reactor-netty.version>1.3.6</reactor-netty.version> | |
| <!-- reactor-netty 1.3.x direct-memory OOM (previously pinned to 1.2.x) resolved upstream; see reactor-netty#<issue> --> | |
| <reactor-netty.version>1.3.6</reactor-netty.version> |
MTA Quality Report — cloudfoundry/multiapps-controller PR #1874Jira: LMCROSSITXSADEPLOY-3410 — Migrate to reactory-netty 1.3.x
Code Review1 finding(s): 1 posted inline. Security
SonarCloud
Quality gate: UNKNOWN (analysis still running) The "Build and analyze" job (which includes SonarCloud analysis) has not completed yet — it is still Dependency CVEs✅ No new CVEs introduced by this PR (pre-existing CVEs in the dependency tree are not listed). The PR bumps |



Description:
Migrate to the reactor-netty 1.3.x line by bumping reactor-netty from 1.2.18 to 1.3.6, and align the transitive Netty stack to 4.2.15.Final so the runtime is consistent with what reactor-netty 1.3.6 expects. The Netty override also picks up the fix for CVE-2026-42583 (Lz4FrameDecoder resource exhaustion).
What changed
reactor-netty.versionbumped1.2.18→1.3.6.netty.versionbumped4.1.135.Final→4.2.15.Finalto match the Netty baseline required by reactor-netty 1.3.x and to pick up the CVE-2026-42583 fix.dependencyManagemententries forreactor-netty-coreandreactor-netty-http, pinned to${reactor-netty.version}, so the split reactor-netty artifacts resolve to a single consistent version.Notes for the reviewer
Issue:
Jira: LMCROSSITXSADEPLOY-3410