Skip to content

[SECURITY] Dependency Upgrade Tracking - Q1 2025 #6941

New issue
New issue
Open
Open
[SECURITY] Dependency Upgrade Tracking - Q1 2025#6941
@montge

Description

@montge
montge
opened on Dec 6, 2025

Master Tracking: Security Dependency Upgrades

This issue tracks all security-related dependency upgrades for DDF.

Critical Priority (P0) - Immediate

Dependency Current Target CVEs Status
Hazelcast 3.12.10 Remove/5.5.0 4 🔴 Not Started
GeoTools 24.6 28.6.1+ 12+ 🔴 Not Started

High Priority (P1) - Next 30 Days

Dependency Current Target CVEs Status
Commons-Collections 3.2.2 4.5.0 4 🔴 Not Started - #6936
Spring Framework 6.1.21 6.2.12 2 🔴 Not Started - #6935
Commons BeanUtils 1.9.4 1.11.0 1 🔴 Not Started
Apache Batik 1.14 1.17+ 4 🔴 Not Started

Medium Priority (P2) - Next 60 Days

Dependency Current Target CVEs Status
Apache Karaf 4.4.8 4.4.9+ TBD 🔴 Not Started
Netty (transitive) Various 4.1.114+ 9 🔴 Not Started
Protobuf (transitive) Various 3.25.8+ 8 🔴 Not Started

Low Priority (P3) - Ongoing

Dependency Current Target CVEs Status
commons-lang 2.x 2.6 Migrate to 3.x EOL 🔴 Not Started
jQuery/Bootstrap Various Latest Multiple 🔴 Not Started

Progress Summary

  • Total Vulnerabilities: ~126 unique
  • Target Vulnerabilities: <25 (MEDIUM/LOW only)
  • Expected Reduction: 78%+

Related Issues

Definition of Done

  • All P0 vulnerabilities resolved
  • All P1 vulnerabilities resolved
  • P2 vulnerabilities in progress
  • No CRITICAL CVEs remaining
  • CI security scanning enabled
  • OWASP suppression file for false positives

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions