- Notifications
You must be signed in to change notification settings - Fork 58
fix(security): force netty-codec-http2 4.1.125 #1615
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Summary of ChangesHello @toddbaert, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on essential dependency management, specifically updating the gRPC library to its latest version and implementing a temporary override for Netty's HTTP/2 codec. These changes are crucial for maintaining the project's security posture and ensuring compatibility with up-to-date libraries, addressing a known vulnerability and keeping the application robust. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
33dc280
to 3c755d9
Compare There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code Review
The pull request updates the io.grpc.version
to 1.76.0 and adds a temporary override for netty-codec-http2
to address CVE-2025-58057. The addition of the netty-codec-http2
dependency with a version range is concerning because it introduces a potential security fix but also opens up a wide range of versions that might not be fully tested or compatible.
3c755d9
to 01b6e80
Compare 6d55a7b
to 0fe7090
Compare Signed-off-by: Todd Baert <todd.baert@dynatrace.com>
0fe7090
to 6461428
Compare
See title.
https://www.cve.org/CVERecord?id=CVE-2025-58057