From f2df4835c4f25e52bc516d9b025495277077e118 Mon Sep 17 00:00:00 2001
From: Bhaskar Ram <bhaskarvilles@duck.com>
Date: Wed, 21 Jan 2026 19:47:23 +0530
Subject: [PATCH] fix: Update critical security dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Update Log4j2: 2.19.0 → 2.24.3 (addresses CVE-2021-44228 and subsequent vulnerabilities)
- Update Jackson: 2.10.0.pr1 → 2.17.2 (security fixes, using Java 11 compatible version)
- Update Spring Framework: 5.2.2.RELEASE → 5.3.39 (latest 5.x with security patches)
- Update Netty: 4.1.42.Final → 4.1.115.Final (security and bug fixes)
- Update Protobuf: 3.16.3 → 3.25.5 (includes protobuf-java-util)
- Update Commons IO: 2.6 → 2.18.0 (bug fixes and improvements)
- Update Commons Codec: 1.12 → 1.17.1 (bug fixes)

These updates address multiple known security vulnerabilities and bring
dependencies to their latest stable versions compatible with Java 11.

Breaking Changes: None expected, all updates are within compatible version ranges.
Testing: Requires full test suite validation before merge.
---
 pom.xml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/pom.xml b/pom.xml
index 48ada3deb7d..121a0c66ae8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -59,12 +59,12 @@
         <version.caffeine>3.1.0</version.caffeine>
         <version.commons-beanutils>1.9.4</version.commons-beanutils>
         <version.commons-cli>1.4</version.commons-cli>
-        <version.commons-codec>1.12</version.commons-codec>
+        <version.commons-codec>1.17.1</version.commons-codec>
         <version.commons-collections>3.2.2</version.commons-collections>
         <version.commons-collections4>4.3</version.commons-collections4>
         <version.commons-configuration>1.10</version.commons-configuration>
         <version.commons-configuration2>2.10.1</version.commons-configuration2>
-        <version.commons-io>2.6</version.commons-io>
+        <version.commons-io>2.18.0</version.commons-io>
         <version.commons-jexl3>3.3</version.commons-jexl3>
         <version.commons-lang>2.6</version.commons-lang>
         <version.commons-logging>1.2</version.commons-logging>
@@ -100,7 +100,7 @@
         <version.httpcomponents-httpcore>4.4.8</version.httpcomponents-httpcore>
         <version.in-memory-accumulo>4.0.4</version.in-memory-accumulo>
         <version.infinispan>9.4.21.Final</version.infinispan>
-        <version.jackson>2.10.0.pr1</version.jackson>
+        <version.jackson>2.17.2</version.jackson>
         <version.jackson-mapper-asl>1.9.13</version.jackson-mapper-asl>
         <version.jakarta>2.3.3</version.jakarta>
         <version.javassist>3.24.0-GA</version.javassist>
@@ -122,24 +122,24 @@
         <version.jython>2.7.2b2</version.jython>
         <version.kryo>2.20</version.kryo>
         <version.kryonet>2.20</version.kryonet>
-        <version.log4j2>2.19.0</version.log4j2>
+        <version.log4j2>2.24.3</version.log4j2>
         <version.lucene>7.5.0</version.lucene>
         <version.metrics-cdi>1.6.0</version.metrics-cdi>
         <version.minlog>1.2</version.minlog>
         <version.mockito>2.23.0</version.mockito>
         <version.mysql-connector>9.3.0</version.mysql-connector>
-        <version.netty>4.1.42.Final</version.netty>
+        <version.netty>4.1.115.Final</version.netty>
         <version.objenesis>2.1</version.objenesis>
         <version.picketbox>5.0.3.Final</version.picketbox>
         <version.powermock>2.0.9</version.powermock>
         <version.proto-google-common-protos>2.61.0</version.proto-google-common-protos>
-        <version.protobuf>3.16.3</version.protobuf>
-        <version.protobuf-java-util>3.16.3</version.protobuf-java-util>
+        <version.protobuf>3.25.5</version.protobuf>
+        <version.protobuf-java-util>3.25.5</version.protobuf-java-util>
         <version.protostuff>1.6.2</version.protostuff>
         <version.saxon-he>12.4</version.saxon-he>
         <version.slf4j>2.0.12</version.slf4j>
         <version.spotify-dns>3.1.5</version.spotify-dns>
-        <version.spring>5.2.2.RELEASE</version.spring>
+        <version.spring>5.3.39</version.spring>
         <version.springframework>${version.spring}</version.springframework>
         <version.stream>2.9.6</version.stream>
         <version.thrift>0.17.0</version.thrift>