feat(Dependcies): update jetty & pl4j & jackjson#116
feat(Dependcies): update jetty & pl4j & jackjson#116halibobo1205 wants to merge 1 commit intodevelopfrom
Conversation
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
codeant-ai
Bot
added
the
size:L
|
CodeAnt AI finished reviewing your PR. |
|
@CodeAnt-AI: review |
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
Sequence DiagramThis PR updates versions and verification metadata for core third party libraries (Jetty, Netty, Jackson, gRPC, PF4J and others), so builds use patched artifacts and the runtime handles network and serialization operations through these safer dependencies. sequenceDiagram
participant Developer
participant Build
participant DependencyRepo
participant Application
participant CoreLibraries
participant Client
Developer->>Build: Trigger build with updated dependency versions
Build->>DependencyRepo: Fetch updated library artifacts
DependencyRepo-->>Build: Return artifacts for new versions
Build->>Build: Verify checksums using verification metadata
Build->>Application: Assemble application with updated libraries
Client->>Application: Send request to node
Application->>CoreLibraries: Handle network and data using updated libs
CoreLibraries-->>Application: Return processed data for response
Generated by CodeAnt AI |
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
halibobo1205
changed the title
|
@codex: review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1757611b8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
halibobo1205
force-pushed
the
dependcies/update
branch
from
d175761 to
71382c1
Compare
|
CodeAnt AI is running Incremental review Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:XXL
|
CodeAnt AI Incremental review completed. |
halibobo1205
force-pushed
the
dependcies/update
branch
from
71382c1 to
60a5bed
Compare
|
@codex: review |
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
halibobo1205
force-pushed
the
dependcies/update
branch
2 times, most recently
from
240c771 to
fe1cdfe
Compare
1. bump bcprov-jdk18on from 1.79 to 1.84 fix CVE-2026-5598 2. bump jetty from 9.4.57 to 9.4.58 fix CVE-2025-5115 3. bump pf4j from 3.10.0 to 3.14.1 fix CVE-2025-70952 4. bump grpc-java from 1.75 to 1.81 fix CVE-2026-33871
halibobo1205
force-pushed
the
dependcies/update
branch
from
fe1cdfe to
0c0befc
Compare
|
CodeAnt AI is running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
codeant-ai
Bot
added
size:L
Sequence DiagramThis PR updates Gradle's verification metadata so that builds resolve newer, security-fixed versions of core libraries (such as gRPC, Jetty, Netty, Bouncy Castle, Guava, Gson, and JUnit) and validate them via updated checksums before packaging and running the application. sequenceDiagram
participant Developer
participant GradleBuild
participant DependencyRepo
participant AppRuntime
Developer->>GradleBuild: Trigger build
GradleBuild->>DependencyRepo: Resolve updated core libraries
GradleBuild->>GradleBuild: Verify library checksums using verification metadata
GradleBuild->>AppRuntime: Package and start app with new validated dependencies
Generated by CodeAnt AI |
![codeant-ai[bot]](https://avatars.githubusercontent.com/in/646884?s=60&v=4){kind=small}
| <artifact name="protoc-gen-grpc-java-1.81.0-osx-aarch_64.exe"> | ||
| <sha256 value="737e7d52f11af89f39295e8a14e5ccb94582626c81e559137e62df8fc27cd6a4" origin="Generated by Gradle"/> | ||
| </artifact> | ||
| <artifact name="protoc-gen-grpc-java-1.76.0.pom"> | ||
| <sha256 value="d5a8d2cf3dfaa0f04c8eabcef91ec7ae68cb516a701fbbae84236526c02f3570" origin="Generated by Gradle"/> | ||
| <artifact name="protoc-gen-grpc-java-1.81.0-osx-x86_64.exe"> | ||
| <sha256 value="737e7d52f11af89f39295e8a14e5ccb94582626c81e559137e62df8fc27cd6a4" origin="Generated by Gradle"/> | ||
| </artifact> |
There was a problem hiding this comment.
Suggestion: The checksum for the osx-x86_64 gRPC codegen binary is set to the exact same value as osx-aarch_64, which is very likely a copied hash for a different artifact. If the Intel macOS binary differs (as classifier-specific binaries usually do), Gradle dependency verification will fail on x86_64 mac builds. Regenerate and store the checksum for the actual protoc-gen-grpc-java-1.81.0-osx-x86_64.exe artifact. [possible bug]
Severity Level: Major ⚠️
- ❌ Mac x86_64 builds fail at gRPC stub generation.
- ❌ `:protocol:build` unusable on Intel mac developer machines.
- ⚠️ Mac-based CI agents blocked when running Gradle build.Steps of Reproduction ✅
1. On a macOS x86_64 machine, run `./gradlew :protocol:generateProto` in
`/workspace/java-tron` (gRPC stub generation configured in `protocol/build.gradle:43-63`
using the `com.google.protobuf` Gradle plugin and `grpc` plugin artifact at
`protocol/build.gradle:49-52`).
2. During configuration, `build.gradle:10-16,32-39` computes `archInfo` and sets
`archInfo.requires.ProtocGenVersion` to `1.81.0` for all macOS builds (`isMac` true), so
the protobuf plugin resolves `io.grpc:protoc-gen-grpc-java:1.81.0` with the `osx-x86_64`
classifier on Intel Macs.
3. Dependency verification uses `gradle/verification-metadata.xml:22-35`, which defines
checksums for `protoc-gen-grpc-java-1.81.0-linux-aarch_64.exe`, `...-osx-aarch_64.exe`,
and `...-osx-x86_64.exe`; lines 26-31 (shown in the PR hunk around 975-980) give the
*same* SHA-256 `737e7d52f11af89f39295e8a14e5ccb94582626c81e559137e62df8fc27cd6a4` for both
`osx-aarch_64` and `osx-x86_64`, unlike other tool pairs such as `buf`
(`gradle/verification-metadata.xml:29-40`) and `protoc`
(`gradle/verification-metadata.xml:591-595`), where aarch_64 and x86_64 checksums differ.
4. When Gradle downloads the real `protoc-gen-grpc-java-1.81.0-osx-x86_64.exe` for the
`grpc` codegen plugin, it computes the actual SHA-256 for the `osx-x86_64` binary and
compares it against the copied `osx-aarch_64` checksum from
`gradle/verification-metadata.xml:29-31`; if (as strongly suggested by differing checksums
for other macOS tools) the x86_64 binary's hash differs, dependency verification fails and
the `:protocol:generateProto` (and thus `:protocol:build`) task aborts on macOS x86_64.Fix in Cursor | Fix in VSCode Claude
(Use Cmd/Ctrl + Click for best experience)
Prompt for AI Agent 🤖
This is a comment left during a code review.
**Path:** gradle/verification-metadata.xml
**Line:** 975:980
**Comment:**
*Possible Bug: The checksum for the `osx-x86_64` gRPC codegen binary is set to the exact same value as `osx-aarch_64`, which is very likely a copied hash for a different artifact. If the Intel macOS binary differs (as classifier-specific binaries usually do), Gradle dependency verification will fail on x86_64 mac builds. Regenerate and store the checksum for the actual `protoc-gen-grpc-java-1.81.0-osx-x86_64.exe` artifact.
Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix
|
CodeAnt AI finished running the review. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
1 participant
User description
What does this PR do?
Why are these changes required?
This PR has been tested by:
Follow up
Extra details
CodeAnt-AI Description
Update bundled libraries to newer versions and remove known security risks
What Changed
Impact
✅ Lower risk from known library vulnerabilities✅ Safer app startup and API handling✅ Fewer dependency-related build failures🔄 Retrigger CodeAnt AI Review
Details
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.