UID2-7251: bump netty to 4.1.135.Final to fix 4 HIGH CVEs#615
Merged
Conversation
PR #614 bumped netty to 4.1.133.Final, but the 4 HIGH netty CVEs flagged by Trivy in the operator publish are only fixed in 4.1.135.Final: io.netty:netty-handler CVE-2026-44249, CVE-2026-45416 io.netty:netty-resolver-dns CVE-2026-45674, CVE-2026-47691 Bumping here keeps uid2-shared aligned with the operator's netty pin. Note: uid2-operator pins netty independently, so this change alone does not affect the operator until uid2-shared is released and the operator's uid2-shared.version is bumped. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
BehnamMozafari
approved these changes
Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
netty.versionfrom4.1.133.Final→4.1.135.Final.Why
PR #614 bumped netty to
4.1.133.Final, but the 4 HIGH netty CVEs flagged by Trivy in the operator publish are only fixed in4.1.135.Final:io.netty:netty-handlerio.netty:netty-resolver-dnsThis keeps uid2-shared aligned with the operator's netty pin (operator fix: IABTechLab/uid2-operator#2593).
Note: uid2-operator pins netty independently of uid2-shared, so this change alone does not affect the operator build until uid2-shared is released and the operator's
uid2-shared.versionis bumped to pick it up. The operator PR is what unblocks the failing scan.Verification
mvn dependency:tree -Dincludes=io.netty→ allnetty-4.1.xartifacts resolve to4.1.135.Final.mvn clean compile→ BUILD SUCCESS.🤖 Generated with Claude Code