Update to latest ring-core

This brings in org.apache.commons/commons-fileupload2-core 2.0.0-M4 to
address CVE-2025-48976.

Author: tobias

dependabot/deps-list.txt

@@ -55,7 +55,7 @@ commons-beanutils/commons-beanutils 1.11.0  (Apache-2.0)
 commons-codec/commons-codec 1.16.0  (Apache-2.0)
 commons-collections/commons-collections 3.2.2  (Apache-2.0)
 commons-digester/commons-digester 1.6 
-commons-io/commons-io 2.15.1  (Apache-2.0)
+commons-io/commons-io 2.19.0  (Apache-2.0)
 commons-logging/commons-logging 1.3.5  (Apache-2.0)
 commons-validator/commons-validator 1.3.1  (Apache-2.0)
 compojure/compojure 1.5.1  (EPL-1.0)
@@ -81,7 +81,7 @@ mvxcvi/arrangement 2.1.0  (Public Domain)
 net.cgrand/regex 1.0.1 
 one-time/one-time 0.7.0  (EPL-1.0)
 org.apache.commons/commons-email 1.5  (Apache-2.0)
-org.apache.commons/commons-fileupload2-core 2.0.0-M1  (Apache-2.0)
+org.apache.commons/commons-fileupload2-core 2.0.0-M4  (Apache-2.0)
 org.apache.httpcomponents/httpasyncclient 4.1.4  (Apache-2.0)
 org.apache.httpcomponents/httpclient 4.5.13  (Apache-2.0)
 org.apache.httpcomponents/httpclient-cache 4.5.13  (Apache-2.0)
@@ -119,31 +119,31 @@ org.clojure/tools.macro 0.1.5  (EPL-1.0)
 org.clojure/tools.nrepl 0.2.11  (EPL-1.0)
 org.clojure/tools.reader 1.5.0  (EPL-1.0)
 org.codehaus.plexus/plexus-utils 3.3.0  (Apache-2.0)
-org.eclipse.jetty/jetty-http 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-io 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-security 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-server 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-servlet 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-unixdomain-server 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-util 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-webapp 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty/jetty-xml 11.0.24  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-http 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-io 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-security 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-server 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-servlet 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-unixdomain-server 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-util 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-webapp 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty/jetty-xml 11.0.25  (Eclipse Public License - Version 2.0)
 org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api 5.0.2  (Apache-2.0)
-org.eclipse.jetty.websocket/websocket-core-common 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty.websocket/websocket-core-server 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty.websocket/websocket-jetty-api 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty.websocket/websocket-jetty-common 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty.websocket/websocket-jetty-server 11.0.24  (Eclipse Public License - Version 2.0)
-org.eclipse.jetty.websocket/websocket-servlet 11.0.24  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-core-common 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-core-server 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-jetty-api 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-jetty-common 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-jetty-server 11.0.25  (Eclipse Public License - Version 2.0)
+org.eclipse.jetty.websocket/websocket-servlet 11.0.25  (Eclipse Public License - Version 2.0)
 org.flatland/ordered 1.5.9  (EPL-1.0)
 org.javassist/javassist 3.18.1-GA  (MPL 1.1)
 org.mindrot/jbcrypt 0.4  (ISC)
 org.msgpack/msgpack 0.6.12  (Apache-2.0)
 org.ow2.asm/asm 9.2  (BSD-3-Clause)
 org.postgresql/postgresql 42.7.2  (BSD-2-Clause)
-org.ring-clojure/ring-core-protocols 1.12.1  (MIT)
-org.ring-clojure/ring-jakarta-servlet 1.13.0  (MIT)
-org.ring-clojure/ring-websocket-protocols 1.12.1  (MIT)
+org.ring-clojure/ring-core-protocols 1.14.2  (MIT)
+org.ring-clojure/ring-jakarta-servlet 1.13.1  (MIT)
+org.ring-clojure/ring-websocket-protocols 1.14.2  (MIT)
 org.slf4j/slf4j-api 2.0.13  (MIT)
 org.tukaani/xz 1.9  (Public Domain)
 org.yaml/snakeyaml 1.33  (Apache-2.0)
@@ -153,11 +153,11 @@ raven-clj/raven-clj 1.7.0  (EPL-1.0)
 realize/realize 2019-04-24  (BSD-3-Clause)
 riddley/riddley 0.1.12  (MIT)
 ring/ring-anti-forgery 1.3.1  (MIT)
-ring/ring-codec 1.2.0  (MIT)
-ring/ring-core 1.12.1  (MIT)
+ring/ring-codec 1.3.0  (MIT)
+ring/ring-core 1.14.2  (MIT)
 ring/ring-defaults 0.5.0  (MIT)
 ring/ring-headers 0.4.0  (MIT)
-ring/ring-jetty-adapter 1.13.0  (MIT)
+ring/ring-jetty-adapter 1.13.1  (MIT)
 ring/ring-ssl 0.4.0  (MIT)
 ring-jetty-component/ring-jetty-component 0.3.1  (MIT)
 ring-middleware-format/ring-middleware-format 0.7.5  (EPL-1.0)

dependabot/deps-tree.txt

@@ -61,51 +61,51 @@ org.bouncycastle/bcpkix-jdk18on 1.78
   X org.bouncycastle/bcprov-jdk18on 1.78 :use-top
   . org.bouncycastle/bcutil-jdk18on 1.78
     X org.bouncycastle/bcprov-jdk18on 1.78 :use-top
-ring/ring-jetty-adapter 1.13.0
-  X ring/ring-core 1.13.0 :use-top
-  . org.ring-clojure/ring-jakarta-servlet 1.13.0
-    X ring/ring-core 1.13.0 :use-top
-  . org.eclipse.jetty/jetty-server 11.0.24
-    . org.eclipse.jetty/jetty-http 11.0.24
-      . org.eclipse.jetty/jetty-io 11.0.24
-      . org.eclipse.jetty/jetty-util 11.0.24
-        X org.slf4j/slf4j-api 2.0.9 :use-top
-      X org.slf4j/slf4j-api 2.0.9 :use-top
-    . org.eclipse.jetty/jetty-io 11.0.24
-      . org.eclipse.jetty/jetty-util 11.0.24
-      X org.slf4j/slf4j-api 2.0.9 :use-top
+ring/ring-jetty-adapter 1.13.1
+  X ring/ring-core 1.13.1 :use-top
+  . org.ring-clojure/ring-jakarta-servlet 1.13.1
+    X ring/ring-core 1.13.1 :use-top
+  . org.eclipse.jetty/jetty-server 11.0.25
+    . org.eclipse.jetty/jetty-http 11.0.25
+      . org.eclipse.jetty/jetty-io 11.0.25
+      . org.eclipse.jetty/jetty-util 11.0.25
+        X org.slf4j/slf4j-api 2.0.13 :use-top
+      X org.slf4j/slf4j-api 2.0.13 :use-top
+    . org.eclipse.jetty/jetty-io 11.0.25
+      . org.eclipse.jetty/jetty-util 11.0.25
+      X org.slf4j/slf4j-api 2.0.13 :use-top
     . org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api 5.0.2
-    X org.slf4j/slf4j-api 2.0.9 :use-top
-  . org.eclipse.jetty/jetty-unixdomain-server 11.0.24
-    . org.eclipse.jetty/jetty-server 11.0.24
-    X org.slf4j/slf4j-api 2.0.9 :use-top
-  . org.eclipse.jetty.websocket/websocket-jetty-server 11.0.24
-    . org.eclipse.jetty/jetty-servlet 11.0.24
-      . org.eclipse.jetty/jetty-security 11.0.24
-        . org.eclipse.jetty/jetty-server 11.0.24
-        X org.slf4j/slf4j-api 2.0.9 :use-top
-      X org.slf4j/slf4j-api 2.0.9 :use-top
-    . org.eclipse.jetty/jetty-webapp 11.0.24
-      . org.eclipse.jetty/jetty-servlet 11.0.24
-      . org.eclipse.jetty/jetty-xml 11.0.24
-        . org.eclipse.jetty/jetty-util 11.0.24
-        X org.slf4j/slf4j-api 2.0.9 :use-top
-      X org.slf4j/slf4j-api 2.0.9 :use-top
+    X org.slf4j/slf4j-api 2.0.13 :use-top
+  . org.eclipse.jetty/jetty-unixdomain-server 11.0.25
+    . org.eclipse.jetty/jetty-server 11.0.25
+    X org.slf4j/slf4j-api 2.0.13 :use-top
+  . org.eclipse.jetty.websocket/websocket-jetty-server 11.0.25
+    . org.eclipse.jetty/jetty-servlet 11.0.25
+      . org.eclipse.jetty/jetty-security 11.0.25
+        . org.eclipse.jetty/jetty-server 11.0.25
+        X org.slf4j/slf4j-api 2.0.13 :use-top
+      X org.slf4j/slf4j-api 2.0.13 :use-top
+    . org.eclipse.jetty/jetty-webapp 11.0.25
+      . org.eclipse.jetty/jetty-servlet 11.0.25
+      . org.eclipse.jetty/jetty-xml 11.0.25
+        . org.eclipse.jetty/jetty-util 11.0.25
+        X org.slf4j/slf4j-api 2.0.13 :use-top
+      X org.slf4j/slf4j-api 2.0.13 :use-top
     . org.eclipse.jetty.toolchain/jetty-jakarta-servlet-api 5.0.2
-    . org.eclipse.jetty.websocket/websocket-jetty-api 11.0.24
-    . org.eclipse.jetty.websocket/websocket-jetty-common 11.0.24
-      . org.eclipse.jetty.websocket/websocket-core-common 11.0.24
-        . org.eclipse.jetty/jetty-http 11.0.24
-        . org.eclipse.jetty/jetty-io 11.0.24
-        X org.slf4j/slf4j-api 2.0.9 :use-top
-      . org.eclipse.jetty.websocket/websocket-jetty-api 11.0.24
-    . org.eclipse.jetty.websocket/websocket-servlet 11.0.24
-      . org.eclipse.jetty/jetty-servlet 11.0.24
-      . org.eclipse.jetty.websocket/websocket-core-server 11.0.24
-        . org.eclipse.jetty/jetty-server 11.0.24
-        . org.eclipse.jetty.websocket/websocket-core-common 11.0.24
-      X org.slf4j/slf4j-api 2.0.9 :use-top
-    X org.slf4j/slf4j-api 2.0.9 :use-top
+    . org.eclipse.jetty.websocket/websocket-jetty-api 11.0.25
+    . org.eclipse.jetty.websocket/websocket-jetty-common 11.0.25
+      . org.eclipse.jetty.websocket/websocket-core-common 11.0.25
+        . org.eclipse.jetty/jetty-http 11.0.25
+        . org.eclipse.jetty/jetty-io 11.0.25
+        X org.slf4j/slf4j-api 2.0.13 :use-top
+      . org.eclipse.jetty.websocket/websocket-jetty-api 11.0.25
+    . org.eclipse.jetty.websocket/websocket-servlet 11.0.25
+      . org.eclipse.jetty/jetty-servlet 11.0.25
+      . org.eclipse.jetty.websocket/websocket-core-server 11.0.25
+        . org.eclipse.jetty/jetty-server 11.0.25
+        . org.eclipse.jetty.websocket/websocket-core-common 11.0.25
+      X org.slf4j/slf4j-api 2.0.13 :use-top
+    X org.slf4j/slf4j-api 2.0.13 :use-top
 com.stuartsierra/component 0.3.1
   . com.stuartsierra/dependency 0.2.0
 org.apache.commons/commons-email 1.5
@@ -276,13 +276,13 @@ raven-clj/raven-clj 1.7.0
   . org.clj-commons/clj-http-lite 1.0.13
   . prone/prone 2021-04-23
     . realize/realize 2019-04-24
-ring/ring-core 1.12.1
-  . org.ring-clojure/ring-core-protocols 1.12.1
-  . org.ring-clojure/ring-websocket-protocols 1.12.1
-  . ring/ring-codec 1.2.0 :newer-version
-  . commons-io/commons-io 2.15.1 :newer-version
-  . org.apache.commons/commons-fileupload2-core 2.0.0-M1
-    X commons-io/commons-io 2.13.0 :older-version
+ring/ring-core 1.14.2
+  . org.ring-clojure/ring-core-protocols 1.14.2
+  . org.ring-clojure/ring-websocket-protocols 1.14.2
+  . ring/ring-codec 1.3.0 :newer-version
+  . commons-io/commons-io 2.19.0 :newer-version
+  . org.apache.commons/commons-fileupload2-core 2.0.0-M4
+    . commons-io/commons-io 2.19.0
   . crypto-random/crypto-random 1.2.1
     X commons-codec/commons-codec 1.15 :older-version
   . crypto-equality/crypto-equality 1.0.1

dependabot/pom.xml

@@ -91,7 +91,7 @@
     <dependency>
       <groupId>ring</groupId>
       <artifactId>ring-jetty-adapter</artifactId>
-      <version>1.13.0</version>
+      <version>1.13.1</version>
     </dependency>
     <dependency>
       <groupId>com.stuartsierra</groupId>
@@ -296,7 +296,7 @@
     <dependency>
       <groupId>ring</groupId>
       <artifactId>ring-core</artifactId>
-      <version>1.12.1</version>
+      <version>1.14.2</version>
     </dependency>
   </dependencies>
   <build>

deps.edn

@@ -75,10 +75,13 @@
   net.cgrand/regex {:mvn/version "1.0.1"}
 
   raven-clj/raven-clj {:mvn/version "1.7.0"}
-  ring/ring-core {:mvn/version "1.12.1"}
+  ring/ring-core {:mvn/version "1.14.2"}
   ring/ring-defaults {:mvn/version "0.5.0"}
-  ;; Audit clojars.ring-servlet-patch if updating this version!
-  ring/ring-jetty-adapter {:mvn/version "1.13.0"}
+  ;; This version is out of sync from ring-core, since ring-core brings in Jetty
+  ;; 12, and we need to remain on Jetty 11 as Jetty 12 breaks
+  ;; clojars.ring-servlet-patch. More research is needed to figure out why and
+  ;; how we can still send a response message with Jetty 12.
+  ring/ring-jetty-adapter {:mvn/version "1.13.1"}
   ring-jetty-component/ring-jetty-component {:mvn/version "0.3.1"}
   ring-middleware-format/ring-middleware-format {:mvn/version "0.7.5"}