Skip to content

Dependency Audit #31

Open
Open
Dependency Audit#31
@alchemain-qa-bot

Description

@alchemain-qa-bot
alchemain-qa-bot
bot
opened on Feb 12, 2026

Dependency Audit Overview

The table presented below outlines a dependency audit based on the findings from our recent Software Composition Analysis (SCA) scan. We have identified several dependencies within this project that require attention to ensure compliance, security, and optimal performance.

Key Highlights:

  • Dependencies: The table lists dependencies under review for upgrade and remediation.
  • Current vs. Target Versions: Each dependency is accompanied by its current version and the recommended target version.
  • Status: The status column indicates whether the upgrade is pending, failed, or completed.
  • Location: The location of each dependency within the project structure is specified.
  • ⚠️ Client-Server Dependencies: Some dependencies require version compatibility with your server infrastructure.

Action Items:

  1. Review Dependencies: Please take a moment to review the dependencies listed in the table.
  2. Plan Upgrades: For each dependency, consider the implications of upgrading to the target version. This may involve testing the new versions in a staging environment to ensure that existing functionality is not adversely affected.
  3. ⚠️ Client-Server Dependencies: Check the warnings below for dependencies that require version compatibility between client and server.
Dependency Version (Advisories) Recommended (Advisories)
cn.hutool:hutool-all 🔴 5.8.10 (2 / 0) 🟢 5.8.21 (0)
com.alibaba:fastjson 🔴 1.2.24 (1 / 0) 🔴 1.2.31 (1)
com.fasterxml.jackson.core:jackson-core 🔴 2.9.8 (2 / 0) 🟢 2.15.0 (0)
com.fasterxml.jackson.core:jackson-databind 🔴 2.9.8 (53 / 0) 🟢 2.12.7.1 (0)
com.google.guava:guava 🟠 23.0 (3 / 0) 🟢 32.0.0-android (0)
com.jayway.jsonpath:json-path 🟠 2.2.0 (1 / 3) 🟢 2.9.0 (0)
  ↳ net.minidev:json-smart 🟠 2.2.1 (2 / 0) 🟢 2.4.9 (0)
com.monitorjbl:xlsx-streamer 🔴 2.0.0 (1 / 0) 🟢 2.1.0 (0)
com.squareup.okhttp:okhttp 🟢 2.5.0 (0 / 1) 🟢 2.7.5 (0)
  ↳ com.squareup.okio:okio 🟠 1.6.0 (1 / 0) 🟢 1.17.6 (0)
com.thoughtworks.xstream:xstream 🔴 1.4.20 (1 / 0) 🟢 1.4.21 (0)
commons-beanutils:commons-beanutils 🔴 1.9.4 (1 / 0) 🟢 1.11.0 (0)
commons-collections:commons-collections 🔴 3.1 (2 / 0) 🟢 3.2.2 (0)
commons-httpclient:commons-httpclient 🟢 3.1 (1 / 0) 🟢 20020423 (1)
commons-io:commons-io 🟠 2.5 (2 / 0) 🟢 2.14.0 (0)
commons-lang:commons-lang 🟠 2.4 (1 / 0) 🟠 2.6 (1)
commons-net:commons-net 🟠 3.6 (1 / 0) 🟢 3.9.0 (0)
io.springfox:springfox-swagger-ui 🔴 2.9.2 (1 / 0) 🟢 2.10.0 (0)
junit:junit 🟠 4.12 (1 / 0) 🟢 4.13.1 (0)
mysql:mysql-connector-java 🔴 8.0.12 (5 / 9) 🔴 8.0.30 (1)
  ↳ com.google.protobuf:protobuf-java 🟠 2.6.0 (4 / 0) 🟢 3.25.5 (0)
org.apache.httpcomponents:httpclient 🟠 4.5.12 (1 / 0) 🟢 4.5.13 (0)
org.apache.logging.log4j:log4j-core 🔴 2.9.1 (5 / 0) 🟢 2.12.4 (0)
org.apache.poi:poi-ooxml 🟠 3.9 (1 / 4) 🟢 5.4.0 (0)
  ↳ dom4j:dom4j 🔴 1.6.1 (2 / 0) 🔴 1.6.1 (2)
  ↳ org.apache.poi:poi-ooxml-schemas 🟢 3.9 (0 / 1) 🟢 4.1.2 (0)
    ↳ org.apache.xmlbeans:xmlbeans 🔴 2.3.0 (1 / 0) 🟢 3.0.0 (0)
org.apache.poi:poi 🟠 3.10-FINAL (6 / 0) 🟢 4.1.1 (0)
org.apache.shiro:shiro-core 🔴 1.2.4 (9 / 0) 🟢 1.13.0 (0)
org.apache.velocity:velocity 🔴 1.7 (1 / 0) n/a
org.dom4j:dom4j 🔴 2.1.0 (3 / 0) 🟢 2.1.4 (1)
org.jdom:jdom2 🟠 2.0.6 (1 / 0) 🟢 2.0.6.1 (0)
org.jolokia:jolokia-core 🔴 1.6.0 (1 / 0) 🟢 1.6.1 (0)
org.jsoup:jsoup 🟠 1.10.2 (2 / 0) 🟢 1.15.3 (0)
org.mybatis.spring.boot:mybatis-spring-boot-starter 🟢 1.3.2 (0 / 1) 🟢 1.3.2 (0)
  ↳ org.mybatis:mybatis 🔴 3.4.6 (1 / 0) 🟢 3.5.6 (0)
org.postgresql:postgresql 🔴 42.3.1 (7 / 0) 🟢 42.3.9 (0)
org.springframework.boot:spring-boot-starter-actuator 🟢 1.5.1.RELEASE (0 / 1) 🟢 4.1.0-M1 (0)
  ↳ org.springframework.boot:spring-boot-actuator 🟠 1.5.1.RELEASE (1 / 0) 🟢 2.7.18 (0)
org.springframework.boot:spring-boot-starter-thymeleaf 🟢 1.5.1.RELEASE (0 / 3) 🟢 4.1.0-M1 (0)
  ↳ nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect 🟢 1.4.0 (0 / 2) 🟢 3.4.0 (0)
    ↳ org.codehaus.groovy:groovy 🔴 2.4.7 (2 / 0) 🟢 2.4.21 (0)
  ↳ org.thymeleaf:thymeleaf-spring4 🟢 2.1.5.RELEASE (0 / 1) 🟢 3.0.15.RELEASE (0)
    ↳ org.thymeleaf:thymeleaf 🟢 2.1.5.RELEASE (0 / 1) 🟢 3.1.3.RELEASE (0)
      ↳ ognl:ognl 🟠 3.0.8 (1 / 0) 🟢 3.0.12 (0)
org.springframework.boot:spring-boot-starter-web 🔴 1.5.1.RELEASE (1 / 67) 🟢 2.5.12 (0)
  ↳ org.hibernate:hibernate-validator 🟠 5.3.4.Final (4 / 0) 🟢 6.2.0.Final (0)
  ↳ org.springframework.boot:spring-boot-starter-tomcat 🟢 1.5.1.RELEASE (0 / 41) 🟢 4.1.0-M1 (0)
    ↳ org.apache.tomcat.embed:tomcat-embed-core 🔴 8.5.11 (40 / 0) 🔴 8.5.100 (11)
    ↳ org.apache.tomcat.embed:tomcat-embed-websocket 🟠 8.5.11 (1 / 0) 🟢 8.5.99 (0)
  ↳ org.springframework.boot:spring-boot-starter 🟢 1.5.1.RELEASE (0 / 12) 🟢 4.1.0-M1 (0)
    ↳ org.springframework.boot:spring-boot-autoconfigure 🟠 1.5.1.RELEASE (1 / 0) 🟢 2.5.15 (0)
    ↳ org.springframework.boot:spring-boot-starter-logging 🟢 1.5.1.RELEASE (0 / 8) 🟢 4.1.0-M1 (0)
      ↳ ch.qos.logback:logback-classic 🔴 1.1.9 (2 / 8) 🟢 1.2.13 (0)
        ↳ ch.qos.logback:logback-core 🔴 1.1.9 (6 / 0) 🟢 1.3.16 (0)
    ↳ org.springframework.boot:spring-boot 🔴 1.5.1.RELEASE (3 / 0) 🟠 2.7.18 (1)
  ↳ org.springframework:spring-web 🔴 4.3.6.RELEASE (7 / 0) 🔴 4.3.6.RELEASE (7)
  ↳ org.springframework:spring-webmvc 🔴 4.3.6.RELEASE (2 / 0) 🟠 5.3.39 (4)
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client 🟢 1.4.0.RELEASE (0 / 46) 🟢 5.0.1 (0)
  ↳ com.netflix.eureka:eureka-client 🟢 1.4.11 (0 / 12) 🟢 2.0.5 (0)
    ↳ com.netflix.netflix-commons:netflix-eventbus 🟢 0.3.0 (0 / 7) n/a
      ↳ com.netflix.netflix-commons:netflix-infix 🟢 0.3.0 (0 / 7) n/a
        ↳ com.google.code.gson:gson 🔴 2.8.0 (1 / 0) 🟢 2.8.9 (0)
        ↳ commons-jxpath:commons-jxpath 🔴 1.3 (6 / 0) 🔴 1.3 (6)
    ↳ org.codehaus.jettison:jettison 🟠 1.3.7 (5 / 0) 🟢 1.5.4 (0)
  ↳ org.springframework.cloud:spring-cloud-starter-netflix-archaius 🟢 1.4.0.RELEASE (0 / 1) 🟢 2.2.10.RELEASE (0)
    ↳ commons-configuration:commons-configuration 🟠 1.8 (1 / 0) 🟠 1.10 (1)
  ↳ org.springframework.cloud:spring-cloud-starter-netflix-ribbon 🟢 1.4.0.RELEASE (0 / 14) 🟢 2.2.10.RELEASE (0)
    ↳ com.netflix.ribbon:ribbon 🟢 2.2.0 (0 / 14) 🟢 2.7.18 (0)
      ↳ io.reactivex:rxnetty 🟢 0.4.9 (0 / 14) 🟢 0.5.1 (0)
        ↳ io.netty:netty-codec-http 🔴 4.0.27.Final (6 / 12) 🟢 4.1.125.Final (0)
          ↳ io.netty:netty-codec 🟠 4.0.27.Final (3 / 0) 🟢 4.1.125.Final (0)
          ↳ io.netty:netty-handler 🟠 4.0.27.Final (3 / 0) 🟠 4.1.94.Final (2)
        ↳ io.netty:netty-transport-native-epoll 🟢 4.0.27.Final (0 / 2) 🟢 5.0.0.Alpha2 (0)
          ↳ io.netty:netty-common 🟠 4.0.27.Final (2 / 0) 🟢 4.1.118.Final (0)
  ↳ org.springframework.cloud:spring-cloud-starter 🟢 1.1.3.RELEASE (0 / 19) 🟢 5.0.1 (0)
    ↳ org.springframework.cloud:spring-cloud-context 🟢 1.1.3.RELEASE (0 / 1) 🟢 1.1.3.RELEASE (0)
      ↳ org.springframework.security:spring-security-crypto 🟠 4.2.1.RELEASE (1 / 0) 🟠 5.7.14 (1)
    ↳ org.springframework.security:spring-security-rsa 🟢 1.0.3.RELEASE (0 / 18) 🟢 1.1.5 (0)
      ↳ org.bouncycastle:bcpkix-jdk15on 🟠 1.55 (1 / 18) 🟠 1.70 (1)
        ↳ org.bouncycastle:bcprov-jdk15on 🟠 1.55 (17 / 0) 🟠 1.70 (4)
org.springframework.data:spring-data-commons 🟠 1.13.11.RELEASE (1 / 0) 🟠 1.13.11.RELEASE (1)
org.springframework.security:spring-security-web 🔴 4.2.12.RELEASE (3 / 22) 🟢 5.7.13 (0)
  ↳ org.springframework.security:spring-security-core 🔴 4.2.1.RELEASE (8 / 0) 🟢 5.7.14 (0)
  ↳ org.springframework:spring-beans 🔴 4.3.6.RELEASE (2 / 0) 🟢 5.2.22.RELEASE (0)
  ↳ org.springframework:spring-context 🟠 4.3.6.RELEASE (3 / 0) 🟠 5.3.39 (2)
  ↳ org.springframework:spring-core 🟠 4.3.6.RELEASE (6 / 0) 🟢 4.3.20.RELEASE (0)
org.springframework:spring-expression 🟠 4.3.16.RELEASE (4 / 0) 🟢 5.3.39 (0)
org.yaml:snakeyaml 🔴 1.21 (8 / 0) 🟢 2.0 (0)

⚠️ Client-Server Dependencies Warning

The following dependencies require version compatibility between client and server:

Dependency Risk Level Description
pkg:maven/commons-net/commons-net@3.6 🔴 HIGH Client library for network protocols (FTP, SMTP, etc.). Client must match server protocol version to avoid connection failures.
pkg:maven/com.netflix.eureka/eureka-client@1.4.11 🔴 HIGH A client for the Eureka service discovery server. The client version must match the server's API and protocol to ensure registration and heartbeat work correctly.
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE 🔴 HIGH Client for the Eureka service registry. Must match the Eureka server's API version to ensure proper service discovery and registration.
pkg:maven/org.postgresql/postgresql@42.3.1 🔴 HIGH PostgreSQL JDBC driver. Client version must be compatible with the database server version to ensure correct protocol and feature support.
pkg:maven/mysql/mysql-connector-java@8.0.12 🔴 HIGH The official JDBC driver for MySQL. The client driver version must be compatible with the MySQL server version to avoid protocol or authentication failures.
pkg:maven/org.jolokia/jolokia-core@1.6.0 🔴 HIGH JMX over HTTP agent (server) and client library. Client and server versions must match due to JSON/HTTP protocol changes.
pkg:maven/org.springframework.boot/spring-boot-starter@1.5.1.RELEASE 🔴 HIGH Core starter for Spring Boot applications, often embedding a web server. Server version must match the Spring Boot ecosystem.
pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@8.5.11 🔴 HIGH Embedded WebSocket server; client browsers must use compatible WebSocket protocol version supported by the server.
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11 🔴 HIGH Embedded HTTP server core; client browsers and tools must use HTTP protocol versions compatible with the server runtime.
pkg:maven/org.springframework.boot/spring-boot@1.5.1.RELEASE 🟡 MEDIUM Framework for creating standalone Spring applications, often embedding a server. Major versions may introduce breaking changes to auto-configuration.
pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@1.5.1.RELEASE 🟡 MEDIUM An embedded Tomcat server for Spring Boot. Risk is medium; server version must be compatible with the Servlet API and Spring Boot's auto-configuration.
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-ribbon@1.4.0.RELEASE 🟡 MEDIUM This is a client-side load balancer for REST clients. It must be compatible with the service discovery server (e.g., Eureka) and the target microservices' API ver...
pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE 🟡 MEDIUM Includes embedded Tomcat server; ensure client HTTP libraries are compatible with server's HTTP/1.1 or HTTP/2 support.
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-archaius@1.4.0.RELEASE 🟡 MEDIUM Archaius is a configuration management client for Netflix OSS services. Client version must be compatible with the remote configuration server's API and data format.
pkg:maven/com.netflix.ribbon/ribbon@2.2.0 🟡 MEDIUM A client-side load balancer for REST services. It must be compatible with the service discovery mechanism and other Netflix OSS components.

I will start working on this plan shortly; however, you can prompt me to take action immediately or suggest changes. For example:

Upgrade to target version:
@00felix upgrade org.group:artifact

or

Upgrade to specific version:
@00felix upgrade org.group:artifact@version

Set JDK version:
@00felix settings set jdk {version} (e.g., @00felix settings set jdk 17 to switch to Java 17 for compatibility requirements)

In response, I will create a remediation and generate a pull request for your review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions