Bump netty dependencies to 4.1.62.Final #16353
Labels
in:Transport
release bug
This bug is present in a released version of Open Liberty
release:21004
team:Sirius
Projects
Dependabot opened a PR to update
netty-codec-http2
due to a CVE in the version we consume: #16180Edit: we'll skip
4.1.60
in favor of4.1.61
: #16417Another edit: Netty released
4.1.62
a few hours after4.1.61
to address a regression https://netty.io/news/2021/03/31/4-1-62-Final.html so we'll go with that oneCurrently Liberty only uses Netty for its
grpcClient-1.0
feature, and that code is not vulnerable per the description at GHSA-wm47-8v5p-wjpj. So we don't need an update to address the vulnerability, but regardless I'll use this issue to do the update.This update has been blocked due to an incompatibility in gRPC with the updates made in Netty 4.1.60 - see grpc/grpc-java#7953. Fixes for that will be available in 1.35.1 and 1.36.1, so once those are released we can update these dependencies together.
The text was updated successfully, but these errors were encountered: