From 9ec5dfde8b17f88288ddec42e27ac0e561e62c94 Mon Sep 17 00:00:00 2001 From: staging-update-bot Date: Fri, 28 Nov 2025 23:03:21 +0000 Subject: [PATCH 1/3] nextflow/25.10.2 package update --- nextflow.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nextflow.yaml b/nextflow.yaml index 0fe940083f4..906c532139f 100644 --- a/nextflow.yaml +++ b/nextflow.yaml @@ -1,6 +1,6 @@ package: name: nextflow - version: "25.10.0" + version: "25.10.2" epoch: 0 description: A DSL for data-driven computational pipelines. copyright: @@ -28,7 +28,7 @@ pipeline: - uses: git-checkout with: repository: https://github.com/nextflow-io/nextflow.git - expected-commit: 2db01e6e9cf8fe266e729c424e2d97cff4e43de2 + expected-commit: c03082c9b816774c799660d22c2b56d72218fddc tag: v${{package.version}} - uses: patch From 607fd30ae33b01a367a3ae44ce4af5095143de44 Mon Sep 17 00:00:00 2001 From: Daniel Watkins Date: Mon, 1 Dec 2025 11:57:36 -0500 Subject: [PATCH 2/3] nextflow: drop now-unreferenced patch file --- .../eclipse-GHSA-vrpq-qp53-qv56-fix.patch | 23 ------------------- 1 file changed, 23 deletions(-) delete mode 100644 nextflow/eclipse-GHSA-vrpq-qp53-qv56-fix.patch diff --git a/nextflow/eclipse-GHSA-vrpq-qp53-qv56-fix.patch b/nextflow/eclipse-GHSA-vrpq-qp53-qv56-fix.patch deleted file mode 100644 index 1af05b5dd3e..00000000000 --- a/nextflow/eclipse-GHSA-vrpq-qp53-qv56-fix.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 16b88aca2ea222b264171535b3a3735031b9f1d2 Mon Sep 17 00:00:00 2001 -From: Paolo Di Tommaso -Date: Sat, 24 May 2025 21:59:34 +0200 -Subject: [PATCH] Bump jgit:7.1.1.202505221757-r [ci fast] - -Signed-off-by: Paolo Di Tommaso ---- - modules/nextflow/build.gradle | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/nextflow/build.gradle b/modules/nextflow/build.gradle -index 57dfa8aa33..ae3dc903f8 100644 ---- a/modules/nextflow/build.gradle -+++ b/modules/nextflow/build.gradle -@@ -44,7 +44,7 @@ dependencies { - api "com.beust:jcommander:1.35" - api("com.esotericsoftware.kryo:kryo:2.24.0") { exclude group: 'com.esotericsoftware.minlog', module: 'minlog' } - api('org.iq80.leveldb:leveldb:0.12') -- api('org.eclipse.jgit:org.eclipse.jgit:7.1.0.202411261347-r') -+ api('org.eclipse.jgit:org.eclipse.jgit:7.1.1.202505221757-r') - api ('javax.activation:activation:1.1.1') - api ('javax.mail:mail:1.4.7') - api ('org.yaml:snakeyaml:2.2') From e1579c72c3a7d2bf8588c52b0b730fbecc6ac901 Mon Sep 17 00:00:00 2001 From: Daniel Watkins Date: Mon, 1 Dec 2025 11:58:02 -0500 Subject: [PATCH 3/3] nextflow: drop superseded CVE remediations Upstream is on or past the versions we're patching to. --- nextflow.yaml | 8 -------- nextflow/logback.patch | 15 --------------- 2 files changed, 23 deletions(-) delete mode 100644 nextflow/logback.patch diff --git a/nextflow.yaml b/nextflow.yaml index 906c532139f..61f5b218fee 100644 --- a/nextflow.yaml +++ b/nextflow.yaml @@ -31,14 +31,6 @@ pipeline: expected-commit: c03082c9b816774c799660d22c2b56d72218fddc tag: v${{package.version}} - - uses: patch - with: - patches: logback.patch - - - runs: | - # CVE-2025-48924 GHSA-j288-q9x7-2f5v - sed -i -e 's|org.apache.commons:commons-lang3=3.12.0|org.apache.commons:commons-lang3=3.18.0|g' plugins/nf-wave/build.gradle - - runs: | sed -i 's/jar\.enabled = false/jar.enabled = true/' build.gradle ./gradlew build -x test --no-daemon diff --git a/nextflow/logback.patch b/nextflow/logback.patch deleted file mode 100644 index aa214ea5450..00000000000 --- a/nextflow/logback.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/modules/nextflow/build.gradle b/modules/nextflow/build.gradle -index 7dac6cece..0204482c2 100644 ---- a/modules/nextflow/build.gradle -+++ b/modules/nextflow/build.gradle -@@ -34,8 +34,8 @@ dependencies { - api "org.slf4j:jcl-over-slf4j:2.0.17" - api "org.slf4j:jul-to-slf4j:2.0.17" - api "org.slf4j:log4j-over-slf4j:2.0.17" -- api "ch.qos.logback:logback-classic:1.5.18" -- api "ch.qos.logback:logback-core:1.5.18" -+ api "ch.qos.logback:logback-classic:1.5.19" -+ api "ch.qos.logback:logback-core:1.5.19" - api "org.codehaus.gpars:gpars:1.2.1" - api("ch.artecat.grengine:grengine:3.0.2") { exclude group: 'org.codehaus.groovy' } - api "commons-lang:commons-lang:2.6"