fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs

OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches
(no suppressions):

  postgresql 42.7.11 -> 42.7.13   CVE-2026-54291 (CVSS4 8.2) — channelBinding downgrade / MITM
  httpcore5  5.3.6   -> 5.4.3     CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) — DoS

httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps
httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core.

Verified locally: builds and tests pass on 1.0.7.

Refs bom#6

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-12 09:55:29 -04:00
parent 2d0475ce6f
commit 7174229416
+1 -1
View File
@@ -14,7 +14,7 @@
<parent>
<groupId>com.hiveops</groupId>
<artifactId>hiveops-bom</artifactId>
<version>1.0.5</version>
<version>1.0.7</version>
<relativePath/>
</parent>