From 7174229416f535b9012b95870ffd6318da69bb84 Mon Sep 17 00:00:00 2001 From: Johannes Date: Sun, 12 Jul 2026 09:55:29 -0400 Subject: [PATCH] =?UTF-8?q?fix(security):=20bump=20hiveops-bom=201.0.5=20-?= =?UTF-8?q?>=201.0.7=20=E2=80=94=20clears=20httpcore5=20+=20postgresql=20C?= =?UTF-8?q?VEs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches (no suppressions): postgresql 42.7.11 -> 42.7.13 CVE-2026-54291 (CVSS4 8.2) — channelBinding downgrade / MITM httpcore5 5.3.6 -> 5.4.3 CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) — DoS httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core. Verified locally: builds and tests pass on 1.0.7. Refs bom#6 Co-Authored-By: Claude Opus 4.8 --- backend/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/pom.xml b/backend/pom.xml index b7b5880..d082c04 100644 --- a/backend/pom.xml +++ b/backend/pom.xml @@ -14,7 +14,7 @@ com.hiveops hiveops-bom - 1.0.5 + 1.0.7