[NOID] Update net.minidev:json-smart to 2.5.2 to address CVE-2024-5…

…7699 (#4380) * [NOID] bump minidev * [NOID] Update licenses --------- Co-authored-by: Gemma Lamont <[email protected]>
neo4j-contrib · Mar 7, 2025 · 3385096 · 3385096
1 parent 720f43f
commit 3385096
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 30 deletions.
diff --git a/LICENSES.txt b/LICENSES.txt
@@ -8,7 +8,7 @@ Apache-2.0
   HikariCP-4.0.3.jar
   RoaringBitmap-0.7.17.jar
   WMI4Java-1.6.3.jar
-  accessors-smart-2.5.0.jar
+  accessors-smart-2.5.2.jar
   annotations-17.0.0.jar
   apiguardian-api-1.1.0.jar
   arrow-format-16.1.0.jar
@@ -140,7 +140,7 @@ Apache-2.0
   jnr-ffi-2.1.7.jar
   joda-time-2.12.7.jar
   json-path-2.9.0.jar
-  json-smart-2.5.0.jar
+  json-smart-2.5.2.jar
   jsonschema2pojo-core-1.0.2.jar
   jsr305-3.0.2.jar
   kerb-admin-2.0.3.jar
@@ -168,11 +168,11 @@ Apache-2.0
   mercator_2.12-0.2.1.jar
   metrics-core-3.2.4.jar
   netty-all-4.1.100.Final.jar
-  netty-buffer-4.1.115.Final.jar
-  netty-codec-4.1.115.Final.jar
+  netty-buffer-4.1.118.Final.jar
+  netty-codec-4.1.118.Final.jar
   netty-codec-dns-4.1.100.Final.jar
   netty-codec-haproxy-4.1.100.Final.jar
-  netty-codec-http-4.1.115.Final.jar
+  netty-codec-http-4.1.118.Final.jar
   netty-codec-http2-4.1.100.Final.jar
   netty-codec-memcache-4.1.100.Final.jar
   netty-codec-mqtt-4.1.100.Final.jar
@@ -181,24 +181,24 @@ Apache-2.0
   netty-codec-socks-4.1.100.Final.jar
   netty-codec-stomp-4.1.100.Final.jar
   netty-codec-xml-4.1.100.Final.jar
-  netty-common-4.1.115.Final.jar
-  netty-handler-4.1.115.Final.jar
+  netty-common-4.1.118.Final.jar
+  netty-handler-4.1.118.Final.jar
   netty-handler-proxy-4.1.100.Final.jar
   netty-handler-ssl-ocsp-4.1.100.Final.jar
-  netty-resolver-4.1.115.Final.jar
+  netty-resolver-4.1.118.Final.jar
   netty-resolver-dns-4.1.100.Final.jar
   netty-resolver-dns-classes-macos-4.1.100.Final.jar
   netty-resolver-dns-native-macos-4.1.100.Final-osx-aarch_64.jar
   netty-resolver-dns-native-macos-4.1.100.Final-osx-x86_64.jar
-  netty-transport-4.1.115.Final.jar
-  netty-transport-classes-epoll-4.1.115.Final.jar
+  netty-transport-4.1.118.Final.jar
+  netty-transport-classes-epoll-4.1.118.Final.jar
   netty-transport-classes-kqueue-4.1.100.Final.jar
-  netty-transport-native-epoll-4.1.115.Final-linux-aarch_64.jar
-  netty-transport-native-epoll-4.1.115.Final-linux-x86_64.jar
-  netty-transport-native-epoll-4.1.115.Final.jar
+  netty-transport-native-epoll-4.1.118.Final-linux-aarch_64.jar
+  netty-transport-native-epoll-4.1.118.Final-linux-x86_64.jar
+  netty-transport-native-epoll-4.1.118.Final.jar
   netty-transport-native-kqueue-4.1.100.Final-osx-aarch_64.jar
   netty-transport-native-kqueue-4.1.100.Final-osx-x86_64.jar
-  netty-transport-native-unix-common-4.1.115.Final.jar
+  netty-transport-native-unix-common-4.1.118.Final.jar
   netty-transport-rxtx-4.1.100.Final.jar
   netty-transport-sctp-4.1.100.Final.jar
   netty-transport-udt-4.1.100.Final.jar
@@ -746,7 +746,7 @@ BSD-3-Clause
   antlr4-4.7.2.jar
   antlr4-runtime-4.7.2.jar
   asm-9.2.jar
-  asm-9.3.jar
+  asm-9.7.1.jar
   asm-analysis-9.2.jar
   asm-commons-5.0.3.jar
   asm-tree-9.2.jar

diff --git a/NOTICE.txt b/NOTICE.txt
@@ -38,7 +38,7 @@ Apache-2.0
   HikariCP-4.0.3.jar
   RoaringBitmap-0.7.17.jar
   WMI4Java-1.6.3.jar
-  accessors-smart-2.5.0.jar
+  accessors-smart-2.5.2.jar
   annotations-17.0.0.jar
   apiguardian-api-1.1.0.jar
   arrow-format-16.1.0.jar
@@ -170,7 +170,7 @@ Apache-2.0
   jnr-ffi-2.1.7.jar
   joda-time-2.12.7.jar
   json-path-2.9.0.jar
-  json-smart-2.5.0.jar
+  json-smart-2.5.2.jar
   jsonschema2pojo-core-1.0.2.jar
   jsr305-3.0.2.jar
   kerb-admin-2.0.3.jar
@@ -198,11 +198,11 @@ Apache-2.0
   mercator_2.12-0.2.1.jar
   metrics-core-3.2.4.jar
   netty-all-4.1.100.Final.jar
-  netty-buffer-4.1.115.Final.jar
-  netty-codec-4.1.115.Final.jar
+  netty-buffer-4.1.118.Final.jar
+  netty-codec-4.1.118.Final.jar
   netty-codec-dns-4.1.100.Final.jar
   netty-codec-haproxy-4.1.100.Final.jar
-  netty-codec-http-4.1.115.Final.jar
+  netty-codec-http-4.1.118.Final.jar
   netty-codec-http2-4.1.100.Final.jar
   netty-codec-memcache-4.1.100.Final.jar
   netty-codec-mqtt-4.1.100.Final.jar
@@ -211,24 +211,24 @@ Apache-2.0
   netty-codec-socks-4.1.100.Final.jar
   netty-codec-stomp-4.1.100.Final.jar
   netty-codec-xml-4.1.100.Final.jar
-  netty-common-4.1.115.Final.jar
-  netty-handler-4.1.115.Final.jar
+  netty-common-4.1.118.Final.jar
+  netty-handler-4.1.118.Final.jar
   netty-handler-proxy-4.1.100.Final.jar
   netty-handler-ssl-ocsp-4.1.100.Final.jar
-  netty-resolver-4.1.115.Final.jar
+  netty-resolver-4.1.118.Final.jar
   netty-resolver-dns-4.1.100.Final.jar
   netty-resolver-dns-classes-macos-4.1.100.Final.jar
   netty-resolver-dns-native-macos-4.1.100.Final-osx-aarch_64.jar
   netty-resolver-dns-native-macos-4.1.100.Final-osx-x86_64.jar
-  netty-transport-4.1.115.Final.jar
-  netty-transport-classes-epoll-4.1.115.Final.jar
+  netty-transport-4.1.118.Final.jar
+  netty-transport-classes-epoll-4.1.118.Final.jar
   netty-transport-classes-kqueue-4.1.100.Final.jar
-  netty-transport-native-epoll-4.1.115.Final-linux-aarch_64.jar
-  netty-transport-native-epoll-4.1.115.Final-linux-x86_64.jar
-  netty-transport-native-epoll-4.1.115.Final.jar
+  netty-transport-native-epoll-4.1.118.Final-linux-aarch_64.jar
+  netty-transport-native-epoll-4.1.118.Final-linux-x86_64.jar
+  netty-transport-native-epoll-4.1.118.Final.jar
   netty-transport-native-kqueue-4.1.100.Final-osx-aarch_64.jar
   netty-transport-native-kqueue-4.1.100.Final-osx-x86_64.jar
-  netty-transport-native-unix-common-4.1.115.Final.jar
+  netty-transport-native-unix-common-4.1.118.Final.jar
   netty-transport-rxtx-4.1.100.Final.jar
   netty-transport-sctp-4.1.100.Final.jar
   netty-transport-udt-4.1.100.Final.jar
@@ -292,7 +292,7 @@ BSD-3-Clause
   antlr4-4.7.2.jar
   antlr4-runtime-4.7.2.jar
   asm-9.2.jar
-  asm-9.3.jar
+  asm-9.7.1.jar
   asm-analysis-9.2.jar
   asm-commons-5.0.3.jar
   asm-tree-9.2.jar

diff --git a/core/build.gradle b/core/build.gradle
@@ -40,6 +40,13 @@ dependencies {
     implementation group: 'com.jayway.jsonpath', name: 'json-path', version: '2.9.0'
     implementation group: 'org.hdrhistogram', name: 'HdrHistogram', version: '2.1.9'
 
+    constraints {
+        // Remove when json-path has updated transitive dependency
+        api('net.minidev:json-smart:2.5.2') {
+            because 'CVE-2024-57699'
+        }
+    }
+
     // compileOnly "org.antlr:antlr4-runtime:4.7.2"
     // testCompile "org.antlr:antlr4-runtime:4.7.2"