Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 13 additions & 4 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,9 @@
<liquibase.version>4.33.0</liquibase.version>
<liquibase-slf4j.version>5.1.0</liquibase-slf4j.version>
<cloudfoundry-client.version>5.16.0.RELEASE</cloudfoundry-client.version>
<!--reactor netty 1.3.x uses direct memory leading to OOM errors-->
<reactor-netty.version>1.2.18</reactor-netty.version>
<!-- Override Netty version to fix CVE-2026-42583 (Lz4FrameDecoder resource exhaustion) -->
<netty.version>4.1.135.Final</netty.version>
<reactor-netty.version>1.3.6</reactor-netty.version>

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: IMPORTANT · Confidence: 82

The comment removing the direct-memory OOM workaround note is silent about whether the regression was actually fixed upstream in reactor-netty 1.3.x. The original comment <!--reactor netty 1.3.x uses direct memory leading to OOM errors--> was a deliberate guard against upgrading past 1.2.x. Upgrading to 1.3.6 without any reference to the upstream fix risks reintroducing OOM in production under heap-limited CF deployments. The PR description or a code comment should cite the upstream reactor-netty issue/commit that resolved the direct-memory problem, so future maintainers understand the constraint was intentionally lifted.

Evidence: <reactor-netty.version>1.3.6</reactor-netty.version>

Fix: Add an inline comment documenting that the direct-memory OOM issue tracked in the original comment was resolved upstream (cite the reactor-netty issue/release), e.g.:

Suggested change
<reactor-netty.version>1.3.6</reactor-netty.version>
<!-- reactor-netty 1.3.x direct-memory OOM (previously pinned to 1.2.x) resolved upstream; see reactor-netty#<issue> -->
<reactor-netty.version>1.3.6</reactor-netty.version>

<!-- Override Netty version; aligns with reactor-netty ${reactor-netty.version} and fixes CVE-2026-42583 (Lz4FrameDecoder resource exhaustion) -->
<netty.version>4.2.15.Final</netty.version>
<swagger.version>1.6.16</swagger.version>
<jclouds.version>2.7.0</jclouds.version>
<guava.version>33.5.0-jre</guava.version>
Expand Down Expand Up @@ -870,6 +869,16 @@
<artifactId>reactor-netty</artifactId>
<version>${reactor-netty.version}</version>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-core</artifactId>
<version>${reactor-netty.version}</version>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http</artifactId>
<version>${reactor-netty.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.cloudfoundry.multiapps/multiapps-common -->
<dependency>
<groupId>org.cloudfoundry.multiapps</groupId>
Expand Down
Loading