fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs #15

Merged
hiveiq merged 1 commits from fix/guide-bom-1.0.7-cves into develop 2026-07-12 09:57:00 -04:00
Owner

Fleet-wide CVE remediation — same one-line bump across every service on hiveops-bom.

Dep Was Now CVE
postgresql 42.7.11 42.7.13 CVE-2026-54291 (CVSS4 8.2)
httpcore5 5.3.6 5.4.3 CVE-2026-54399 (7.5), CVE-2026-54428 (7.5)

httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps httpclient5 5.5.2 -> 5.6.2, which pulls the patched core. Pinning core alone under the old client would be an untested combination.

No suppressions — both took real upstream patches.

Verified on this service: builds + tests pass on 1.0.7.

Bumped 1.0.5 -> 1.0.7.

Refs bom#6

Fleet-wide CVE remediation — same one-line bump across every service on `hiveops-bom`. | Dep | Was | Now | CVE | |---|---|---|---| | `postgresql` | 42.7.11 | **42.7.13** | CVE-2026-54291 (CVSS4 **8.2**) | | `httpcore5` | 5.3.6 | **5.4.3** | CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) | `httpcore5` is transitive via `httpclient5`; Apache ships them as a matched pair, so bom 1.0.7 bumps **httpclient5 5.5.2 -> 5.6.2**, which pulls the patched core. Pinning core alone under the old client would be an untested combination. **No suppressions** — both took real upstream patches. **Verified on this service:** builds + tests pass on 1.0.7. Bumped **1.0.5** -> **1.0.7**. Refs bom#6
hiveiq added 1 commit 2026-07-12 09:55:30 -04:00
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream patches
(no suppressions):

  postgresql 42.7.11 -> 42.7.13   CVE-2026-54291 (CVSS4 8.2) — channelBinding downgrade / MITM
  httpcore5  5.3.6   -> 5.4.3     CVE-2026-54399 (7.5), CVE-2026-54428 (7.5) — DoS

httpcore5 is transitive via httpclient5; Apache ships them as a matched pair, so bom 1.0.7 bumps
httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core.

Verified locally: builds and tests pass on 1.0.7.

Refs bom#6

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
johannes approved these changes 2026-07-12 09:55:42 -04:00
hiveiq merged commit a82e0a6ac4 into develop 2026-07-12 09:57:00 -04:00
Sign in to join this conversation.
No Reviewers
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: hiveiq-src/hiveops-guide#15