Bump net.minidev:json-smart from 2.5.1 to 2.5.2 in /plugins/repository-hdfs

[dependabot]

Bumps net.minidev:json-smart from 2.5.1 to 2.5.2.

Release notes

Sourced from net.minidev:json-smart's releases.

2.5.2

About CVE-2024-57699

Thanks for @​ccudennec-otto Some remarks on the CVE, more discussions in #236

• as mentioned here it is quite unlikely that the vulnerability is exploited if you come here because of Spring Security / com.nimbusds:oauth2-oidc-sdk
• the code changes for the upcoming release will "only" fix the default modes provided by JSONParser, e.g. MODE_RFC4627
• if you create the JSONParser manually / with custom options, make sure you set option LIMIT_JSON_DEPTH
  • since that's what "connect2id" is doing in their library, they were responsible for fixing it. They've already provided a new 11.x release that fixes the JSONParser setup on their side, i.e. you rather need their fixed version and not version 2.5.2 of json-smart
  • as stated here, they would also need to backport the fix to the versions that Spring Security needs IMHO

What's Changed

• fix CVE-2024-57699 for predefined parsers by @​ccudennec-otto in netplex/json-smart-v2#233
• update maintainer github id and email by @​hezhangjian in netplex/json-smart-v2#234
• Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart-action by @​dependabot in netplex/json-smart-v2#189
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart-action by @​dependabot in netplex/json-smart-v2#190
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart-action by @​dependabot in netplex/json-smart-v2#191
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.1.0 to 3.2.4 in /json-smart by @​dependabot in netplex/json-smart-v2#194
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 in /json-smart by @​dependabot in netplex/json-smart-v2#193
• Bump org.apache.maven.plugins:maven-source-plugin from 3.3.0 to 3.3.1 in /json-smart by @​dependabot in netplex/json-smart-v2#192
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart by @​dependabot in netplex/json-smart-v2#188
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#185
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#196
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 in /json-smart by @​dependabot in netplex/json-smart-v2#197
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.4.1 to 3.4.2 in /json-smart-action by @​dependabot in netplex/json-smart-v2#198
• Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#200
• Bump junit.version from 5.10.2 to 5.10.3 in /json-smart-action by @​dependabot in netplex/json-smart-v2#199
• Bump junit.version from 5.10.2 to 5.10.3 in /json-smart by @​dependabot in netplex/json-smart-v2#201
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.4.1 to 3.4.2 in /json-smart by @​dependabot in netplex/json-smart-v2#203
• Bump org.apache.maven.plugins:maven-release-plugin from 3.0.1 to 3.1.0 in /json-smart by @​dependabot in netplex/json-smart-v2#202
• Bump org.apache.maven.plugins:maven-release-plugin from 3.1.0 to 3.1.1 in /json-smart by @​dependabot in netplex/json-smart-v2#205
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 in /json-smart by @​dependabot in netplex/json-smart-v2#206
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#207
• Bump org.apache.maven.plugins:maven-release-plugin from 3.1.0 to 3.1.1 in /json-smart-action by @​dependabot in netplex/json-smart-v2#208
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.10.0 in /json-smart by @​dependabot in netplex/json-smart-v2#214
• Bump junit.version from 5.10.3 to 5.11.0 in /json-smart by @​dependabot in netplex/json-smart-v2#213
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.4 to 3.2.5 in /json-smart by @​dependabot in netplex/json-smart-v2#212
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.8.0 to 3.10.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#211
• Bump junit.version from 5.10.3 to 5.11.0 in /json-smart-action by @​dependabot in netplex/json-smart-v2#210
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.4 to 3.2.5 in /json-smart-action by @​dependabot in netplex/json-smart-v2#209
• Bump junit.version from 5.11.0 to 5.11.1 in /json-smart-action by @​dependabot in netplex/json-smart-v2#219
• Bump junit.version from 5.11.0 to 5.11.1 in /json-smart by @​dependabot in netplex/json-smart-v2#216
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.5 to 3.2.7 in /json-smart-action by @​dependabot in netplex/json-smart-v2#218
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.5 to 3.2.7 in /json-smart by @​dependabot in netplex/json-smart-v2#217
• update version and dates. by @​UrielCh in netplex/json-smart-v2#220
• Bump junit.version from 5.11.2 to 5.11.3 in /json-smart by @​dependabot in netplex/json-smart-v2#222
• Bump junit.version from 5.11.2 to 5.11.3 in /json-smart-action by @​dependabot in netplex/json-smart-v2#221
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.11.1 in /json-smart by @​dependabot in netplex/json-smart-v2#226
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.11.1 in /json-smart-action by @​dependabot in netplex/json-smart-v2#224
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.1 to 3.11.2 in /json-smart-action by @​dependabot in netplex/json-smart-v2#231
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.1 to 3.11.2 in /json-smart by @​dependabot in netplex/json-smart-v2#229
• Bump junit.version from 5.11.3 to 5.11.4 in /json-smart-action by @​dependabot in netplex/json-smart-v2#230
• Bump junit.version from 5.11.3 to 5.11.4 in /json-smart by @​dependabot in netplex/json-smart-v2#228

... (truncated)

Commits

• d4f7fa4 migrate to s01.oss.sonatype.org
• 9ca093d docs: mark v2.5.2 not released now
• 55fa105 update maintainer github id and email (#234)
• 7ecb1d3 bump to version 2.5.2.
• 852caf6 Merge pull request #233 from ccudennec-otto/fix-CVE-2024-57699
• d1f4645 Merge pull request #228 from netplex/dependabot/maven/json-smart/junit.versio...
• 19a787e Merge pull request #230 from netplex/dependabot/maven/json-smart-action/junit...
• f2be4c1 Merge pull request #229 from netplex/dependabot/maven/json-smart/org.apache.m...
• 224943a Merge pull request #231 from netplex/dependabot/maven/json-smart-action/org.a...
• c21d854 fix CVE-2024-57699 for predefined parsers
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌ Gradle check result for 66c937a: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[cwperks]

@dependabot rebase

[github-actions]

❌ Gradle check result for 22abb07: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[cwperks]

@dependabot rebase

[github-actions]

❌ Gradle check result for 7ccbcd1: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[cwperks]

@dependabot rebase

[jainankitk]

@cwperks - Wondering if this change needs a changelog entry?

[cwperks]

@cwperks - Wondering if this change needs a changelog entry?

After the CI is finished running, there's another workflow for dependabot PRs to do actions like add to the CHANGELOG and updateSHAs.

[github-actions]

❌ Gradle check result for be40049: null

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❕ Gradle check result for be40049: UNSTABLE

• TEST FAILURES:

      1 org.opensearch.snapshots.DedicatedClusterSnapshotRestoreIT.testSnapshotWithStuckNode
      1 org.opensearch.cluster.MinimumClusterManagerNodesIT.testThreeNodesNoClusterManagerBlock

Please review all flaky tests that succeeded after retry and create an issue if one does not already exist to track the flaky failure.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 72.44%. Comparing base (bad652b) to head (be40049).
Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #17376   +/-   ##
=========================================
  Coverage     72.43%   72.44%           
+ Complexity    65591    65585    -6     
=========================================
  Files          5291     5291           
  Lines        304325   304325           
  Branches      44181    44181           
=========================================
+ Hits         220445   220473   +28     
+ Misses        65813    65754   -59     
- Partials      18067    18098   +31     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cwperks]

Looks like the CHANGELOG was skipped because it was done in #17378 for the same dep in a different module.

These modules have not been switched over to use the gradle version catalog yet which will help reduce such cases from 2 separate PRs to a single dependabot PR.

[dbwiddis]

@reta @peternied @cwperks any reason why dependabot missed this related bump? for CVE-2024-57699

OpenSearch/plugins/repository-azure/build.gradle

Line 71 in 9bef705

api 'net.minidev:json-smart:2.5.1'

EDIT: Seems we're limited to one open bump PR at a time with a weekly interval.

OpenSearch/.github/dependabot.yml

Lines 950 to 954 in 9bef705

	- directory: /plugins/repository-azure/
	open-pull-requests-limit: 1
	package-ecosystem: gradle
	schedule:
	interval: weekly

These modules have not been switched over to use the gradle version catalog yet which will help reduce such cases from 2 separate PRs to a single dependabot PR.

Should be 3 :)