{"id":439,"name":"com.thoughtworks.xstream:xstream","ecosystem":"maven","repository_url":"https://github.com/x-stream/xstream","issues_count":155,"created_at":"2025-06-06T15:01:34.577Z","updated_at":"2025-06-06T15:01:34.577Z","purl":"pkg:maven/com.thoughtworks.xstream:xstream","metadata":{"id":4779663,"name":"com.thoughtworks.xstream:xstream","ecosystem":"maven","description":"XStream is a serialization library from Java objects to XML and back.","homepage":"http://x-stream.github.io","licenses":"BSD-3-Clause","normalized_licenses":["BSD-3-Clause"],"repository_url":"https://github.com/x-stream/xstream","keywords_array":[],"namespace":"com.thoughtworks.xstream","versions_count":41,"first_release_published_at":"2006-08-18T09:59:54.000Z","latest_release_published_at":"2024-11-07T19:15:09.000Z","latest_release_number":"1.4.21","last_synced_at":"2025-06-04T12:44:19.993Z","created_at":"2022-07-26T11:12:35.938Z","updated_at":"2025-06-05T02:02:53.423Z","registry_url":"https://central.sonatype.com/artifact/com.thoughtworks.xstream/xstream/","install_command":null,"documentation_url":"https://appdoc.app/artifact/com.thoughtworks.xstream/xstream/","metadata":{},"repo_metadata":{"uuid":"32219624","full_name":"x-stream/xstream","owner":"x-stream","description":"Serialize Java objects to XML and back again.","archived":false,"fork":false,"pushed_at":"2023-10-17T18:58:58.000Z","size":21422,"stargazers_count":721,"open_issues_count":35,"forks_count":224,"subscribers_count":51,"default_branch":"master","last_synced_at":"2023-11-10T20:37:43.104Z","etag":null,"topics":["java","xml","xstream"],"latest_commit_sha":null,"homepage":"http://x-stream.github.io","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/x-stream.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null}},"created_at":"2015-03-14T15:57:12.000Z","updated_at":"2023-11-07T13:53:01.000Z","dependencies_parsed_at":"2023-09-27T04:20:47.517Z","dependency_job_id":null,"html_url":"https://github.com/x-stream/xstream","commit_stats":null,"previous_names":[],"tags_count":40,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x-stream","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":175624114,"owners_count":10287509,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"x-stream","name":"XStream","uuid":"12127637","kind":"organization","description":"","email":null,"website":null,"location":"http://x-stream.github.io","twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/12127637?v=4","repositories_count":4,"last_synced_at":"2023-02-28T18:35:26.464Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/x-stream","created_at":"2022-11-11T20:12:18.814Z","updated_at":"2023-02-28T18:35:26.471Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x-stream","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/x-stream/repositories"},"tags":[{"name":"XSTREAM_1_4_20","sha":"f124f777fb8831430f930816a9e18813788c69cb","kind":"tag","published_at":"2022-12-23T23:13:31.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_20","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_20","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_20","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_20/manifests"},{"name":"XSTREAM_1_4_19","sha":"61a00fa225dc99488013869b57b772af8e2fea03","kind":"tag","published_at":"2022-01-29T16:46:19.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_19","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_19","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_19","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_19/manifests"},{"name":"XSTREAM_1_4_18","sha":"b9ad1c02724c2b1636a8794c8e1bcd630f46c0b3","kind":"tag","published_at":"2021-08-22T11:57:46.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_18","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_18","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_18","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_18/manifests"},{"name":"XSTREAM_1_4_17","sha":"25eaa5034fca7a492605936ea880132c98bec237","kind":"tag","published_at":"2021-05-14T08:20:10.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_17","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_17","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_17","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_17/manifests"},{"name":"XSTREAM_1_4_16","sha":"3dd9cc610199802e4f13bd49b02a9f99adaba145","kind":"tag","published_at":"2021-03-12T23:22:41.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_16","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_16","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_16","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_16/manifests"},{"name":"XSTREAM_1_4_15","sha":"f04bbec461f2c2a6f1e2cf41770f42c64aae24a4","kind":"tag","published_at":"2020-12-12T23:21:56.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_15","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_15","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_15","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_15/manifests"},{"name":"XSTREAM_1_4_14","sha":"b9f6f5924681f1d37484df4197712bb768f7ec44","kind":"tag","published_at":"2020-11-15T23:01:08.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_14","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_14","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_14","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_14/manifests"},{"name":"XSTREAM_1_4_13","sha":"cba30d7f75cb0f7e2fd66c03989e51f7c8521232","kind":"tag","published_at":"2020-09-06T21:41:27.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_13","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_13","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_13","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_13/manifests"},{"name":"XSTREAM_1_4_12","sha":"6ec37c8d0129ce73d3264958d1deb38eeb08eea5","kind":"tag","published_at":"2020-04-12T17:16:29.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_12","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_12","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_12","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_12/manifests"},{"name":"XSTREAM_1_4_11_1","sha":"54529d8561c7fc959c8c394c0526bf45cc0c1528","kind":"tag","published_at":"2018-10-26T19:03:19.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_11_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_11_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_11_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_11_1/manifests"},{"name":"XSTREAM_1_4_11","sha":"807e21fb3ec55061b3becb835df10b0d20279f11","kind":"tag","published_at":"2018-10-22T20:05:41.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_11","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_11","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_11","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_11/manifests"},{"name":"XSTREAM_1_4_10","sha":"4d9499729007ef6090a9989db60099c72f8eb983","kind":"tag","published_at":"2017-05-23T14:27:07.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_10","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_10","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_10","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_10/manifests"},{"name":"XSTREAM_1_4_9","sha":"f66bbea1b383e705988abf8d06ea9782a73f24d4","kind":"tag","published_at":"2016-03-15T23:09:45.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_9","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_9","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_9","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_9/manifests"},{"name":"XSTREAM_1_4_6","sha":"768c6e417a75e7732fc591bee844e5e81af56a7d","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_6","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_6/manifests"},{"name":"XSTREAM_1_4_5","sha":"6263a53e8b8c4d1b092a32fa1abcadb6acfce45b","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_5","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_5/manifests"},{"name":"XSTREAM_1_4_4","sha":"c4c71226515fa42809a48d9ae702756e2831f379","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_4","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_4/manifests"},{"name":"XSTREAM_1_4_3","sha":"1b7a2f6cac924bed53b876a2d10aff69aff46b51","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_3","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_3/manifests"},{"name":"XSTREAM_1_4_2","sha":"852891a5ebe48b0302ccff8b25d02df4cb7fd056","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_2/manifests"},{"name":"XSTREAM_1_4_1","sha":"5b97cd3e49b65df1de6b601f9b3a8373ef523428","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_1/manifests"},{"name":"XSTREAM_1_4","sha":"4b5fb281ce97d021e23c302099f571042e00e9f3","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4/manifests"},{"name":"XSTREAM_1_3_1","sha":"ff23674bfa2d25b56c826e488df9e41a3fa99cec","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_3_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_3_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_3_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_3_1/manifests"},{"name":"XSTREAM_1_4_7","sha":"6acae3f1c9a6ab94e78d0bb0e39429c120fcd718","kind":"tag","published_at":"2015-03-15T09:38:39.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_7","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_7/manifests"},{"name":"XSTREAM_1_2_2","sha":"2c2109f23be2c7094cb20da06d1cf8ae767ca1b3","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_2_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_2_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2_2/manifests"},{"name":"XSTREAM_1_2_1","sha":"de03e6dced96663a579575dcbb71b3ca9576e173","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_2_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_2_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2_1/manifests"},{"name":"XSTREAM_1_2","sha":"cf2ecd483d39f0eca8f98ec4f2bccb273d5c3538","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_2/manifests"},{"name":"XSTREAM_1_1_3","sha":"92acd5f00520a1885e5b6f627102ab0a455daa1f","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_1_3","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_1_3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_3/manifests"},{"name":"XSTREAM_1_1_2","sha":"7ed86c98735a02d25caf8bb7a6532fcb3390e92e","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_1_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_1_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_2/manifests"},{"name":"XSTREAM_1_1_1","sha":"afda6dede96f611ac6485ed53280bfee292f5692","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_1_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_1_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1_1/manifests"},{"name":"XSTREAM_1_1","sha":"be610b807efda705f45d12a5d6090bf844fcdfff","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_1/manifests"},{"name":"XSTREAM_1_3","sha":"94fcafc045f3b7b9a969c7d5cc6ad5eaa43fcb1a","kind":"tag","published_at":"2015-03-15T09:38:38.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_3","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_3/manifests"},{"name":"XSTREAM_1_0_1","sha":"c1bb7484d85ca2290cf16097e394434391307673","kind":"tag","published_at":"2015-03-15T09:38:37.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_0_1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_0_1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_1/manifests"},{"name":"XSTREAM_1_0_RC1","sha":"161829e174498b6003cf8221da5d470afca05649","kind":"tag","published_at":"2015-03-15T09:38:37.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_0_RC1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_0_RC1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_RC1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_RC1/manifests"},{"name":"XSTREAM_1_0_2","sha":"8e0dbbdbc462da0bd459e28381ac76bf7c6bc8ee","kind":"tag","published_at":"2015-03-15T09:38:37.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_0_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_0_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_0_2/manifests"},{"name":"XSTREAM_0_6_RC1","sha":"62c22adf2104bfe531b80b46b468d29b46aabfbb","kind":"tag","published_at":"2015-03-15T09:35:51.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_6_RC1","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_6_RC1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_6_RC1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_6_RC1/manifests"},{"name":"XSTREAM_0_5","sha":"b116b47b2a9b7f9b68fedf8c40daf98b077660b4","kind":"tag","published_at":"2015-03-15T09:35:51.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_5","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_5/manifests"},{"name":"XSTREAM_0_6","sha":"6ce6678e233dbb02d46bc87ee4ea15876c1b8365","kind":"tag","published_at":"2015-03-15T09:35:51.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_6","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_6/manifests"},{"name":"XSTREAM_0_4","sha":"65f1fb83154b67ae417637d0b674e278c7e5f8fe","kind":"tag","published_at":"2015-03-14T23:20:41.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_4","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_4/manifests"},{"name":"XSTREAM_0_3","sha":"8f16b1e3bcd8a9611aa3ad39804aba1ff6736362","kind":"tag","published_at":"2015-03-14T23:12:16.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_3","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_3/manifests"},{"name":"XSTREAM_0_2","sha":"0522415786058bd64f4d05c31b31b8fae83bc31c","kind":"tag","published_at":"2015-03-14T23:10:48.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_0_2","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_0_2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_0_2/manifests"},{"name":"XSTREAM_1_4_8","sha":"da0f1b833c27ffe37257d39400029b50757d4ff0","kind":"tag","published_at":"2015-03-14T23:02:50.000Z","download_url":"https://codeload.github.com/x-stream/xstream/tar.gz/XSTREAM_1_4_8","html_url":"https://github.com/x-stream/xstream/releases/tag/XSTREAM_1_4_8","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_8","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/x-stream%2Fxstream/tags/XSTREAM_1_4_8/manifests"}]},"repo_metadata_updated_at":"2023-12-10T21:22:01.966Z","dependent_packages_count":1882,"downloads":null,"downloads_period":null,"dependent_repos_count":25482,"rankings":{"downloads":null,"dependent_repos_count":0.03664067114497092,"dependent_packages_count":0.03844267136521539,"stargazers_count":13.52060787474096,"forks_count":13.157404719238356,"docker_downloads_count":0.044649561012724125,"average":5.359549099500446},"purl":"pkg:maven/com.thoughtworks.xstream/xstream","advisories":[{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5anctanFmNC0zd3Ez","url":"https://github.com/advisories/GHSA-59jw-jqf4-3wq3","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21344](https://x-stream.github.io/CVE-2021-21344.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:28:23.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-59jw-jqf4-3wq3","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21344","https://x-stream.github.io/CVE-2021-21344.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-59jw-jqf4-3wq3"],"source_kind":"github","identifiers":["GHSA-59jw-jqf4-3wq3","CVE-2021-21344"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.944Z","updated_at":"2023-02-01T05:05:10.000Z","epss_percentage":0.28576,"epss_percentile":0.96248},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY0eHgtY3E0cS1tZjQ0","url":"https://github.com/advisories/GHSA-64xx-cq4q-mf44","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below.  However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39139](https://x-stream.github.io/CVE-2021-39139.html).\n\n### Credits\nLai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:48:47.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-64xx-cq4q-mf44","https://nvd.nist.gov/vuln/detail/CVE-2021-39139","https://x-stream.github.io/CVE-2021-39139.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-64xx-cq4q-mf44"],"source_kind":"github","identifiers":["GHSA-64xx-cq4q-mf44","CVE-2021-39139"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.603Z","updated_at":"2025-06-05T01:18:03.488Z","epss_percentage":0.00427,"epss_percentile":0.61497},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc0Y3YtZjU4eC1mOXdm","url":"https://github.com/advisories/GHSA-74cv-f58x-f9wf","title":"XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights","description":"### Impact\nThe processed stream at unmarshalling time contains type information to recreate the formerly written objects.  XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21343](https://x-stream.github.io/CVE-2021-21343.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:28:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-74cv-f58x-f9wf","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21343","https://x-stream.github.io/CVE-2021-21343.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-74cv-f58x-f9wf"],"source_kind":"github","identifiers":["GHSA-74cv-f58x-f9wf","CVE-2021-21343"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.952Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.00978,"epss_percentile":0.75632},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3djQtN3hnMy1oeGNj","url":"https://github.com/advisories/GHSA-h7v4-7xg3-hxcc","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39147](https://x-stream.github.io/CVE-2021-39147.html).\n\n### Credits\nwh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:46.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-h7v4-7xg3-hxcc","https://nvd.nist.gov/vuln/detail/CVE-2021-39147","https://x-stream.github.io/CVE-2021-39147.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-h7v4-7xg3-hxcc"],"source_kind":"github","identifiers":["GHSA-h7v4-7xg3-hxcc","CVE-2021-39147"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.126Z","updated_at":"2025-06-05T01:18:03.387Z","epss_percentage":0.00569,"epss_percentile":0.67474},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ3NjItaHg3ci1tdzY4","url":"https://github.com/advisories/GHSA-6w62-hx7r-mw68","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39154](https://x-stream.github.io/CVE-2021-39154.html).\n\n### Credits\nka1n4t found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:46:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-6w62-hx7r-mw68","https://nvd.nist.gov/vuln/detail/CVE-2021-39154","https://x-stream.github.io/CVE-2021-39154.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-6w62-hx7r-mw68"],"source_kind":"github","identifiers":["GHSA-6w62-hx7r-mw68","CVE-2021-39154"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.586Z","updated_at":"2025-06-05T01:18:03.274Z","epss_percentage":0.00569,"epss_percentile":0.67474},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJxOHgtMnA3Zi01NzR2","url":"https://github.com/advisories/GHSA-2q8x-2p7f-574v","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39153](https://x-stream.github.io/CVE-2021-39153.html).\n\n### Credits\nCeclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:46:49.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-2q8x-2p7f-574v","https://nvd.nist.gov/vuln/detail/CVE-2021-39153","https://x-stream.github.io/CVE-2021-39153.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-2q8x-2p7f-574v"],"source_kind":"github","identifiers":["GHSA-2q8x-2p7f-574v","CVE-2021-39153"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.635Z","updated_at":"2023-01-27T05:02:28.000Z","epss_percentage":0.00351,"epss_percentile":0.56791},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZ3Zjktam1nOS12eGNj","url":"https://github.com/advisories/GHSA-6wf9-jmg9-vxcc","title":"XStream can cause a Denial of Service","description":"### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39140](https://x-stream.github.io/CVE-2021-39140.html).\n\n### Credits\nThe vulnerability was discovered and reported by Lai Han of nsfocus security team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-08-25T14:48:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-6wf9-jmg9-vxcc","https://nvd.nist.gov/vuln/detail/CVE-2021-39140","https://x-stream.github.io/CVE-2021-39140.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-6wf9-jmg9-vxcc"],"source_kind":"github","identifiers":["GHSA-6wf9-jmg9-vxcc","CVE-2021-39140"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.524Z","updated_at":"2023-01-27T05:02:19.000Z","epss_percentage":0.00089,"epss_percentile":0.26714},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc1dzYtbXJqNy03NWgy","url":"https://github.com/advisories/GHSA-g5w6-mrj7-75h2","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39141](https://x-stream.github.io/CVE-2021-39141.html).\n\n### Credits\nCeclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:48:31.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-g5w6-mrj7-75h2","https://nvd.nist.gov/vuln/detail/CVE-2021-39141","https://x-stream.github.io/CVE-2021-39141.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-g5w6-mrj7-75h2"],"source_kind":"github","identifiers":["GHSA-g5w6-mrj7-75h2","CVE-2021-39141"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.475Z","updated_at":"2023-01-27T05:02:28.000Z","epss_percentage":0.75915,"epss_percentile":0.98839},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNjY3EtNXZ3My0ycDZ4","url":"https://github.com/advisories/GHSA-3ccq-5vw3-2p6x","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39149](https://x-stream.github.io/CVE-2021-39149.html).\n\n### Credits\nLai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-3ccq-5vw3-2p6x","https://nvd.nist.gov/vuln/detail/CVE-2021-39149","https://x-stream.github.io/CVE-2021-39149.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-3ccq-5vw3-2p6x"],"source_kind":"github","identifiers":["GHSA-3ccq-5vw3-2p6x","CVE-2021-39149"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.929Z","updated_at":"2023-01-27T05:02:28.000Z","epss_percentage":0.00351,"epss_percentile":0.56791},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXh3NHAtY3Jwai12angy","url":"https://github.com/advisories/GHSA-xw4p-crpj-vjx2","title":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host","description":"### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39152](https://x-stream.github.io/CVE-2021-39152.html).\n\n### Credits\nm0d9 of the Security Team of Alibaba Cloud found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:46:59.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-xw4p-crpj-vjx2","https://nvd.nist.gov/vuln/detail/CVE-2021-39152","https://x-stream.github.io/CVE-2021-39152.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-xw4p-crpj-vjx2"],"source_kind":"github","identifiers":["GHSA-xw4p-crpj-vjx2","CVE-2021-39152"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.690Z","updated_at":"2023-01-27T05:02:46.000Z","epss_percentage":0.61765,"epss_percentile":0.98208},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdod2MtNDZybS02NWpo","url":"https://github.com/advisories/GHSA-7hwc-46rm-65jh","title":"Denial of service in XStream","description":"XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML(\"\u003cvoid/\u003e\") call.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2020-06-30T22:48:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2017-7957","https://github.com/x-stream/xstream/commit/6e546ec366419158b1e393211be6d78ab9604ab","https://github.com/x-stream/xstream/commit/8542d02d9ac5d384c85f4b33d6c1888c53bd55d","https://github.com/x-stream/xstream/commit/b3570be2f39234e61f99f9a20640756ea71b1b4","https://access.redhat.com/errata/RHSA-2017:1832","https://access.redhat.com/errata/RHSA-2017:2888","https://access.redhat.com/errata/RHSA-2017:2889","https://exchange.xforce.ibmcloud.com/vulnerabilities/125800","https://www-prd-trops.events.ibm.com/node/715749","http://www.debian.org/security/2017/dsa-3841","http://www.securityfocus.com/bid/100687","http://www.securitytracker.com/id/1039499","http://x-stream.github.io/CVE-2017-7957.html","https://github.com/advisories/GHSA-7hwc-46rm-65jh"],"source_kind":"github","identifiers":["GHSA-7hwc-46rm-65jh","CVE-2017-7957"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.10","vulnerable_version_range":"\u003c 1.4.10"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:23.816Z","updated_at":"2025-05-23T19:00:18.000Z","epss_percentage":0.03498,"epss_percentile":0.87004},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1NTQteDIyMi13Z2Y3","url":"https://github.com/advisories/GHSA-f554-x222-wgf7","title":"Command Injection in Xstream","description":"Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2019-05-29T18:05:03.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2013-7285","http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html","http://seclists.org/oss-sec/2014/q1/69","https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html","https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html","https://x-stream.github.io/CVE-2013-7285.html","https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E","https://www.oracle.com/security-alerts/cpuoct2020.html","http://web.archive.org/web/20140204133306/http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html","https://github.com/x-stream/xstream/commit/6344867dce6767af7d0fe34fb393271a6456672d","https://github.com/advisories/GHSA-f554-x222-wgf7"],"source_kind":"github","identifiers":["GHSA-f554-x222-wgf7","CVE-2013-7285"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.11","vulnerable_version_range":"= 1.4.10"},{"first_patched_version":"1.4.7","vulnerable_version_range":"\u003c 1.4.7"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:30.113Z","updated_at":"2024-03-04T23:51:43.000Z","epss_percentage":0.22896,"epss_percentile":0.95609},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdjaHYtcnJ3Ni13NmZj","url":"https://github.com/advisories/GHSA-7chv-rrw6-w6fc","title":"XStream is vulnerable to a Remote Command Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.17.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-29505](https://x-stream.github.io/CVE-2021-29505.html).\n\n### Credits\n\nV3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-05-18T18:36:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc","https://x-stream.github.io/CVE-2021-29505.html","https://nvd.nist.gov/vuln/detail/CVE-2021-29505","https://github.com/x-stream/xstream/commit/24fac82191292c6ae25f94508d28b9823f83624f","https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f@%3Cdev.jmeter.apache.org%3E","https://lists.debian.org/debian-lts-announce/2021/07/msg00004.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","https://security.netapp.com/advisory/ntap-20210708-0007","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","https://lists.apache.org/thread.html/r8ee51debf7fd184b6a6b020dc31df25118b0aa612885f12fbe77f04f%40%3Cdev.jmeter.apache.org%3E","https://github.com/advisories/GHSA-7chv-rrw6-w6fc"],"source_kind":"github","identifiers":["GHSA-7chv-rrw6-w6fc","CVE-2021-29505"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.17","vulnerable_version_range":"\u003c 1.4.17"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:03.302Z","updated_at":"2025-05-30T00:32:19.000Z","epss_percentage":0.91356,"epss_percentile":0.99628},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh2djgtMzM2Zy1yeDNt","url":"https://github.com/advisories/GHSA-hvv8-336g-rx3m","title":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host","description":"### Impact\nThe processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information.  An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21342](https://x-stream.github.io/CVE-2021-21342.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:28:01.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-hvv8-336g-rx3m","https://x-stream.github.io/CVE-2021-21342.html","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21342","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-hvv8-336g-rx3m"],"source_kind":"github","identifiers":["GHSA-hvv8-336g-rx3m","CVE-2021-21342"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.971Z","updated_at":"2023-03-09T21:21:56.000Z","epss_percentage":0.01423,"epss_percentile":0.79617},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFwZnEtcGg3ci1xdjZm","url":"https://github.com/advisories/GHSA-qpfq-ph7r-qv6f","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21347](https://x-stream.github.io/CVE-2021-21347.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:29:00.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-qpfq-ph7r-qv6f","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21347","https://x-stream.github.io/CVE-2021-21347.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-qpfq-ph7r-qv6f"],"source_kind":"github","identifiers":["GHSA-qpfq-ph7r-qv6f","CVE-2021-21347"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.917Z","updated_at":"2023-02-01T05:05:10.000Z","epss_percentage":0.02713,"epss_percentile":0.85189},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJnaDMtOTg3aC13cG13","url":"https://github.com/advisories/GHSA-rgh3-987h-wpmw","title":"XML External Entity Injection in XStream","description":"Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2020-06-30T22:48:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2016-3674","https://github.com/x-stream/xstream/issues/25","https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385","http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183180.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183208.html","http://rhn.redhat.com/errata/RHSA-2016-2822.html","http://rhn.redhat.com/errata/RHSA-2016-2823.html","http://www.debian.org/security/2016/dsa-3575","http://www.openwall.com/lists/oss-security/2016/03/25/8","http://www.openwall.com/lists/oss-security/2016/03/28/1","http://www.securityfocus.com/bid/85381","http://www.securitytracker.com/id/1036419","http://x-stream.github.io/changes.html#1.4.9","https://github.com/advisories/GHSA-rgh3-987h-wpmw"],"source_kind":"github","identifiers":["GHSA-rgh3-987h-wpmw","CVE-2016-3674"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.9","vulnerable_version_range":"\u003c 1.4.9"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:23.807Z","updated_at":"2025-05-23T19:00:04.000Z","epss_percentage":0.05789,"epss_percentile":0.90009},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhyY3AtOGYzcS00dzJj","url":"https://github.com/advisories/GHSA-hrcp-8f3q-4w2c","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21351](https://x-stream.github.io/CVE-2021-21351.html).\n\n### Credits\nwh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:29:37.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-hrcp-8f3q-4w2c","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21351","https://x-stream.github.io/CVE-2021-21351.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-hrcp-8f3q-4w2c"],"source_kind":"github","identifiers":["GHSA-hrcp-8f3q-4w2c","CVE-2021-21351"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.880Z","updated_at":"2023-02-01T05:05:10.000Z","epss_percentage":0.91097,"epss_percentile":0.99612},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY2aG0tODh4My1tZmp2","url":"https://github.com/advisories/GHSA-f6hm-88x3-mfjv","title":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host","description":"### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21349](https://x-stream.github.io/CVE-2021-21349.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:29:19.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-f6hm-88x3-mfjv","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21349","https://x-stream.github.io/CVE-2021-21349.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-f6hm-88x3-mfjv"],"source_kind":"github","identifiers":["GHSA-f6hm-88x3-mfjv","CVE-2021-21349"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.898Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.04569,"epss_percentile":0.88637},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTJwM3gtcXc5Yy0yNWho","url":"https://github.com/advisories/GHSA-2p3x-qw9c-25hh","title":"XStream can cause a Denial of Service.","description":"### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21341](https://x-stream.github.io/CVE-2021-21341.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-03-22T23:27:51.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-2p3x-qw9c-25hh","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21341","https://x-stream.github.io/CVE-2021-21341.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-2p3x-qw9c-25hh"],"source_kind":"github","identifiers":["GHSA-2p3x-qw9c-25hh","CVE-2021-21341"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.962Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.26092,"epss_percentile":0.95974},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRjY2gtd3hwdy04cDI4","url":"https://github.com/advisories/GHSA-4cch-wxpw-8p28","title":"Server-Side Forgery Request can be activated unmarshalling with XStream","description":"### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.\n\n### Workarounds\nThe reported vulnerability does not exist running Java 15 or higher.\n\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.14 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\n\nUsers of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, \"jdk.nashorn.internal.objects.NativeString\", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n        || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))\n        || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n \n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2020-12-21T16:28:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-4cch-wxpw-8p28","https://nvd.nist.gov/vuln/detail/CVE-2020-26258","https://x-stream.github.io/CVE-2020-26258.html","https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html","https://www.debian.org/security/2021/dsa-4828","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","https://security.netapp.com/advisory/ntap-20210409-0005","https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34%40%3Ccommits.struts.apache.org%3E","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB","https://github.com/advisories/GHSA-4cch-wxpw-8p28"],"source_kind":"github","identifiers":["GHSA-4cch-wxpw-8p28","CVE-2020-26258"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.15","vulnerable_version_range":"\u003c 1.4.15"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:12.403Z","updated_at":"2025-01-15T21:32:40.000Z","epss_percentage":0.9368,"epss_percentile":0.99833},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpmdngtN3dyeC00M2Zo","url":"https://github.com/advisories/GHSA-jfvx-7wrx-43fh","title":"XStream vulnerable to an Arbitrary File Deletion on the local host when unmarshalling","description":"### Impact\nThe vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.15.\n\n### Workarounds\nThe reported vulnerability does only exist with a JAX-WS runtime on the classpath.\n\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.14 or below who still insist to use XStream default blacklist - despite that clear recommendation - can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.14 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\n\nUsers of XStream 1.4.14 to 1.4.13 can simply add three lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _jdk.nashorn.internal.objects.NativeString.class_, _java.lang.Void_ and _void_ and deny several types by name pattern.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\", \"jdk.nashorn.internal.objects.NativeString\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, \"jdk.nashorn.internal.objects.NativeString\", java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\nxstream.denyTypesByRegExp(new String[]{ \".*\\\\$LazyIterator\", \"javax\\\\.crypto\\\\..*\", \".*\\\\.ReadAllStream\\\\$FileStream\" });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class\n        || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || type.getName().equals(\"jdk.nashorn.internal.objects.NativeString\")\n        || type == java.lang.Void.class || void.class || Proxy.isProxy(type))\n        || type.getName().startsWith(\"javax.crypto.\") || type.getName().endsWith(\"$LazyIterator\") || type.getName().endsWith(\".ReadAllStream$FileStream\"));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n  \n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2020-12-21T16:28:26.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-jfvx-7wrx-43fh","https://nvd.nist.gov/vuln/detail/CVE-2020-26259","https://x-stream.github.io/CVE-2020-26259.html","https://lists.apache.org/thread.html/r97993e3d78e1f5389b7b172ba9f308440830ce5f051ee62714a0aa34@%3Ccommits.struts.apache.org%3E","https://lists.debian.org/debian-lts-announce/2020/12/msg00042.html","https://www.debian.org/security/2021/dsa-4828","https://security.netapp.com/advisory/ntap-20210409-0005/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://github.com/advisories/GHSA-jfvx-7wrx-43fh"],"source_kind":"github","identifiers":["GHSA-jfvx-7wrx-43fh","CVE-2020-26259"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.15","vulnerable_version_range":"\u003c 1.4.15"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:12.419Z","updated_at":"2023-02-01T05:05:06.000Z","epss_percentage":0.89548,"epss_percentile":0.99518},{"uuid":"GSA_kwCzR0hTQS1qNTYzLWdyeDQtcGpwds4AAwpk","url":"https://github.com/advisories/GHSA-j563-grx4-pjpv","title":"XStream can cause Denial of Service via stack overflow","description":"### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. Following types of the Java runtime are affected:\n\n- java.util.HashMap\n- java.util.HashSet\n- java.util.Hashtable\n- java.util.LinkedHashMap\n- java.util.LinkedHashSet\n- Other third party collection implementations that use their element's hash code may also be affected\n\nA simple solution is to catch the StackOverflowError in the client code calling XStream.\n\nIf your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:\n```Java\nXStream xstream = new XStream();\nxstream.setMode(XStream.NO_REFERENCES);\n```\n\nIf your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:\n```Java\nXStream xstream = new XStream();\nxstream.denyTypes(new Class[]{\n java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class\n});\n```\n\nUnfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::\n```Java\nxstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);\nxstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);\n```\nHowever, this implies that your application does not care about the implementation of the map and all elements are comparable.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-41966](https://x-stream.github.io/CVE-2022-41966.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-29T01:48:08.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv","https://nvd.nist.gov/vuln/detail/CVE-2022-41966","https://x-stream.github.io/CVE-2022-41966.html","https://github.com/advisories/GHSA-j563-grx4-pjpv"],"source_kind":"github","identifiers":["GHSA-j563-grx4-pjpv","CVE-2022-41966"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.20","vulnerable_version_range":"\u003c 1.4.20"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-29T02:03:03.231Z","updated_at":"2023-06-27T20:59:29.000Z","epss_percentage":0.05011,"epss_percentile":0.89184},{"uuid":"GSA_kwCzR0hTQS0zbXE1LWZxOWgtZ2o3as4AAu55","url":"https://github.com/advisories/GHSA-3mq5-fq9h-gj7j","title":"Duplicate Advisory: Denial of Service due to parser crash","description":"## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of [GHSA-f8cc-g7j8-xxpm](https://github.com/advisories/GHSA-f8cc-g7j8-xxpm). This link is maintained to preserve external references.\n\n## Original Description\nThose using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.","origin":"UNSPECIFIED","severity":"LOW","published_at":"2022-09-17T00:00:41.000Z","withdrawn_at":"2023-03-03T23:04:23.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2022-40151","https://github.com/x-stream/xstream/issues/304","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367","https://github.com/x-stream/xstream/issues/314","https://github.com/advisories/GHSA-3mq5-fq9h-gj7j"],"source_kind":"github","identifiers":["GHSA-3mq5-fq9h-gj7j"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":null,"vulnerable_version_range":"\u003c= 1.4.19"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:11:50.276Z","updated_at":"2023-03-03T23:04:24.000Z","epss_percentage":null,"epss_percentile":null},{"uuid":"GSA_kwCzR0hTQS1mOGNjLWc3ajgteHhwbc4AAwqj","url":"https://github.com/advisories/GHSA-f8cc-g7j8-xxpm","title":"XStream can cause a Denial of Service by injecting deeply nested objects raising a stack overflow","description":"### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.20 handles the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2022-40151](https://x-stream.github.io/CVE-2022-40151.html).\n\n### Credits\nThe vulnerability was discovered and reported by Henry Lin of the Google OSS-Fuzz team.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-30T16:58:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-f8cc-g7j8-xxpm","https://nvd.nist.gov/vuln/detail/CVE-2022-40151","https://github.com/x-stream/xstream/issues/304","https://github.com/x-stream/xstream/issues/314","https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47367","https://x-stream.github.io/CVE-2022-40151.html","https://github.com/advisories/GHSA-f8cc-g7j8-xxpm"],"source_kind":"github","identifiers":["GHSA-f8cc-g7j8-xxpm","CVE-2022-40151"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.20","vulnerable_version_range":"\u003c 1.4.20"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-30T17:09:53.270Z","updated_at":"2023-01-07T05:05:33.000Z","epss_percentage":0.00203,"epss_percentile":0.43004},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRocm0tbTY3di01Y3hy","url":"https://github.com/advisories/GHSA-4hrm-m67v-5cxr","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21346](https://x-stream.github.io/CVE-2021-21346.html).\n\n### Credits\nwh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:28:49.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-4hrm-m67v-5cxr","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21346","https://x-stream.github.io/CVE-2021-21346.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-4hrm-m67v-5cxr"],"source_kind":"github","identifiers":["GHSA-4hrm-m67v-5cxr","CVE-2021-21346"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.925Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.04078,"epss_percentile":0.87976},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThqcmotNTI1cC04MjZ2","url":"https://github.com/advisories/GHSA-8jrj-525p-826v","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39145](https://x-stream.github.io/CVE-2021-39145.html).\n\n### Credits\n李安诺 (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue independently to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:48:12.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-8jrj-525p-826v","https://nvd.nist.gov/vuln/detail/CVE-2021-39145","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://security.netapp.com/advisory/ntap-20210923-0003/","https://x-stream.github.io/CVE-2021-39145.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-8jrj-525p-826v"],"source_kind":"github","identifiers":["GHSA-8jrj-525p-826v","CVE-2021-39145"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.294Z","updated_at":"2023-01-27T05:02:19.000Z","epss_percentage":0.00306,"epss_percentile":0.53341},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWo5aDgtcGhydy1oNGZo","url":"https://github.com/advisories/GHSA-j9h8-phrw-h4fh","title":"XStream is vulnerable to a Remote Command Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39144](https://x-stream.github.io/CVE-2021-39144.html).\n\n### Credits\n\nCeclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Email us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:48:19.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh","https://nvd.nist.gov/vuln/detail/CVE-2021-39144","https://x-stream.github.io/CVE-2021-39144.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","http://packetstormsecurity.com/files/169859/VMware-NSX-Manager-XStream-Unauthenticated-Remote-Code-Execution.html","https://github.com/advisories/GHSA-j9h8-phrw-h4fh"],"source_kind":"github","identifiers":["GHSA-j9h8-phrw-h4fh","CVE-2021-39144"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.378Z","updated_at":"2023-06-27T19:51:25.000Z","epss_percentage":0.94412,"epss_percentile":0.99971},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA4cHEtcjg5NC1mbThm","url":"https://github.com/advisories/GHSA-p8pq-r894-fm8f","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39146](https://x-stream.github.io/CVE-2021-39146.html).\n\n### Credits\nCeclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:57.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-p8pq-r894-fm8f","https://nvd.nist.gov/vuln/detail/CVE-2021-39146","https://x-stream.github.io/CVE-2021-39146.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-p8pq-r894-fm8f"],"source_kind":"github","identifiers":["GHSA-p8pq-r894-fm8f","CVE-2021-39146"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.188Z","updated_at":"2023-01-27T05:02:19.000Z","epss_percentage":0.44883,"epss_percentile":0.97413},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW13MzYtN2M2Yy1xNHEy","url":"https://github.com/advisories/GHSA-mw36-7c6c-q4q2","title":"XStream can be used for Remote Code Execution","description":"### Impact\nThe vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.14.\n\n### Workarounds\nNo user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability.\n\nUsers of XStream 1.4.13 or below who still want to use XStream default blacklist can use a workaround depending on their version in use.\n\nUsers of XStream 1.4.13 can simply add two lines to XStream's setup code:\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });\n```\nUsers of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from scratch and deny at least the following types: _javax.imageio.ImageIO$ContainsFilter_, _java.beans.EventHandler_, _java.lang.ProcessBuilder_, _java.lang.Void_ and _void_.\n```Java\nxstream.denyTypes(new String[]{ \"javax.imageio.ImageIO$ContainsFilter\" });\nxstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });\n```\nUsers of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:\n```Java\nxstream.registerConverter(new Converter() {\n  public boolean canConvert(Class type) {\n    return type != null \u0026\u0026 (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class || type.getName().equals(\"javax.imageio.ImageIO$ContainsFilter\") || Proxy.isProxy(type));\n  }\n\n  public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n\n  public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {\n    throw new ConversionException(\"Unsupported type due to security reasons.\");\n  }\n}, XStream.PRIORITY_LOW);\n```\n\n### Credits\nChen L found and reported the issue to XStream and provided the required information to reproduce it.  He was supported by Zhihong Tian and Hui Lu, both from Guangzhou University.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2020-26217](https://x-stream.github.io/CVE-2020-26217.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2020-11-16T20:07:59.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2","https://nvd.nist.gov/vuln/detail/CVE-2020-26217","https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a","https://x-stream.github.io/CVE-2020-26217.html","https://lists.debian.org/debian-lts-announce/2020/12/msg00001.html","https://www.debian.org/security/2020/dsa-4811","https://lists.apache.org/thread.html/r826a006fda71cc96fc87b6eca4b5d195f19a292ad36cea501682c38c@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/redde3609b89b2a4ff18b536a06ef9a77deb93d47fda8ed28086fa8c3@%3Cissues.activemq.apache.org%3E","https://lists.apache.org/thread.html/r2de526726e7f4db4a7cb91b7355070779f51a84fd985c6529c2f4e9e@%3Cissues.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210409-0004/","https://www.oracle.com/security-alerts/cpuApr2021.html","https://lists.apache.org/thread.html/r7c9fc255edc0b9cd9567093d131f6d33fde4c662aaf912460ef630e9@%3Ccommits.camel.apache.org%3E","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://github.com/advisories/GHSA-mw36-7c6c-q4q2"],"source_kind":"github","identifiers":["GHSA-mw36-7c6c-q4q2","CVE-2020-26217"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.14-jdk7","vulnerable_version_range":"\u003c= 1.4.13"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:12.991Z","updated_at":"2023-02-01T05:05:05.000Z","epss_percentage":0.93566,"epss_percentile":0.99829},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTQzZ2MtbWp4Zy1ndnJx","url":"https://github.com/advisories/GHSA-43gc-mjxg-gvrq","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21350](https://x-stream.github.io/CVE-2021-21350.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:29:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-43gc-mjxg-gvrq","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21350","https://x-stream.github.io/CVE-2021-21350.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-43gc-mjxg-gvrq"],"source_kind":"github","identifiers":["GHSA-43gc-mjxg-gvrq","CVE-2021-21350"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.889Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.0845,"epss_percentile":0.91864},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh3cGMtOHhxdi1qdmo0","url":"https://github.com/advisories/GHSA-hwpc-8xqv-jvj4","title":"XStream is vulnerable to a Remote Command Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21345](https://x-stream.github.io/CVE-2021-21345.html).\n\n### Credits\n钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:28:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21345","https://x-stream.github.io/CVE-2021-21345.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://www.oracle.com/security-alerts/cpuApr2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-hwpc-8xqv-jvj4"],"source_kind":"github","identifiers":["GHSA-hwpc-8xqv-jvj4","CVE-2021-21345"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.934Z","updated_at":"2023-01-29T05:06:34.000Z","epss_percentage":0.86687,"epss_percentile":0.99368},{"uuid":"GSA_kwCzR0hTQS1ybXI1LWNwdjItdmdqZs0n7Q","url":"https://github.com/advisories/GHSA-rmr5-cpv2-vgjf","title":"Denial of Service by injecting highly recursive collections or maps in XStream","description":"### Impact\nThe vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream.\n\n### Patches\nXStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded.\n\n### Workarounds\nThe attack uses the hash code implementation for collections and maps to force an exponential calculation time due to highly recursive structures with in the collection or map. Following types of the Java runtime are affected in Java versions available in December 2021:\n\n- java.util.HashMap\n- java.util.HashSet\n- java.util.Hashtable\n- java.util.LinkedHashMap\n- java.util.LinkedHashSet\n- java.util.Stack (older Java revisions only)\n- java.util.Vector (older Java revisions only)\n- Other third party collection implementations that use their element's hash code may also be affected\n\nIf your object graph does not use referenced elements at all, you may simply set the NO_REFERENCE mode:\n```Java\nXStream xstream = new XStream();\nxstream.setMode(XStream.NO_REFERENCES);\n```\n\nIf your object graph contains neither a Hashtable, HashMap nor a HashSet (or one of the linked variants of it) then you can use the security framework to deny the usage of these types:\n```Java\nXStream xstream = new XStream();\nxstream.denyTypes(new Class[]{\n java.util.HashMap.class, java.util.HashSet.class, java.util.Hashtable.class, java.util.LinkedHashMap.class, java.util.LinkedHashSet.class\n});\n```\n\nUnfortunately these types are very common. If you only use HashMap or HashSet and your XML refers these only as default map or set, you may additionally change the default implementation of java.util.Map and java.util.Set at unmarshalling time::\n```Java\nxstream.addDefaultImplementation(java.util.TreeMap.class, java.util.Map.class);\nxstream.addDefaultImplementation(java.util.TreeSet.class, java.util.Set.class);\n```\nHowever, this implies that your application does not care about the implementation of the map and all elements are comparable.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-43859](https://x-stream.github.io/CVE-2021-43859.html).\n\n### Credits\nThe vulnerability was discovered and reported by r00t4dm at Cloud-Penetrating Arrow Lab.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-02-01T00:48:15.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf","https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846","https://x-stream.github.io/CVE-2021-43859.html","https://nvd.nist.gov/vuln/detail/CVE-2021-43859","http://www.openwall.com/lists/oss-security/2022/02/09/1","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VACQYG356OHUTD5WQGAQ4L2TTFTAV3SJ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XODFRE2ZL64FICBJDOPWOLPTSSAI4U7X/","https://lists.debian.org/debian-lts-announce/2022/02/msg00018.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-rmr5-cpv2-vgjf"],"source_kind":"github","identifiers":["GHSA-rmr5-cpv2-vgjf","CVE-2021-43859"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.19","vulnerable_version_range":"\u003c 1.4.19"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:37.386Z","updated_at":"2023-01-29T05:00:51.000Z","epss_percentage":0.01665,"epss_percentile":0.81163},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhwaDItbTNnNS14eHY0","url":"https://github.com/advisories/GHSA-hph2-m3g5-xxv4","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39151](https://x-stream.github.io/CVE-2021-39151.html).\n\n### Credits\nSmi1e of DBAPPSecurity WEBIN Lab found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-hph2-m3g5-xxv4","https://nvd.nist.gov/vuln/detail/CVE-2021-39151","https://x-stream.github.io/CVE-2021-39151.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-hph2-m3g5-xxv4"],"source_kind":"github","identifiers":["GHSA-hph2-m3g5-xxv4","CVE-2021-39151"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.745Z","updated_at":"2023-01-27T05:02:46.000Z","epss_percentage":0.00351,"epss_percentile":0.56791},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFyeDgtODU0NS00d2cy","url":"https://github.com/advisories/GHSA-qrx8-8545-4wg2","title":"XStream is vulnerable to an Arbitrary Code Execution attack","description":"### Impact\nThe vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nXStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39148](https://x-stream.github.io/CVE-2021-39148.html).\n\n### Credits\nwh1t3p1g from TSRC (Tencent Security Response Center) found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-qrx8-8545-4wg2","https://nvd.nist.gov/vuln/detail/CVE-2021-39148","https://x-stream.github.io/CVE-2021-39148.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-qrx8-8545-4wg2"],"source_kind":"github","identifiers":["GHSA-qrx8-8545-4wg2","CVE-2021-39148"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:51.027Z","updated_at":"2025-06-05T01:18:03.362Z","epss_percentage":0.00569,"epss_percentile":0.67474},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWhmMjMtOXBmNy0zODhw","url":"https://github.com/advisories/GHSA-hf23-9pf7-388p","title":"Deserialization of Untrusted Data and Code Injection in xstream","description":"It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2019-07-26T16:09:47.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2019-10173","http://x-stream.github.io/changes.html#1.4.11","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173","https://access.redhat.com/errata/RHSA-2019:3892","https://access.redhat.com/errata/RHSA-2019:4352","https://access.redhat.com/errata/RHSA-2020:0445","https://access.redhat.com/errata/RHSA-2020:0727","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2021.html","https://www.oracle.com/security-alerts/cpuoct2020.html","https://www.oracle.com/security-alerts/cpuApr2021.html","https://www.oracle.com//security-alerts/cpujul2021.html","https://github.com/advisories/GHSA-hf23-9pf7-388p"],"source_kind":"github","identifiers":["GHSA-hf23-9pf7-388p","CVE-2019-10173"],"repository_url":null,"blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.11","vulnerable_version_range":"\u003c= 1.4.10"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:06.140Z","updated_at":"2025-06-05T01:18:19.320Z","epss_percentage":0.91872,"epss_percentile":0.9967},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWN4Zm0tNW00Zy14N3hw","url":"https://github.com/advisories/GHSA-cxfm-5m4g-x7xp","title":"A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host","description":"### Impact\nThe vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-39150](https://x-stream.github.io/CVE-2021-39150.html).\n\n### Credits\nLai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information to reproduce it.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)\n","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2021-08-25T14:47:19.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-cxfm-5m4g-x7xp","https://nvd.nist.gov/vuln/detail/CVE-2021-39150","https://x-stream.github.io/CVE-2021-39150.html","https://security.netapp.com/advisory/ntap-20210923-0003/","https://lists.debian.org/debian-lts-announce/2021/09/msg00017.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://www.oracle.com/security-alerts/cpuapr2022.html","https://www.oracle.com/security-alerts/cpujul2022.html","https://github.com/advisories/GHSA-cxfm-5m4g-x7xp"],"source_kind":"github","identifiers":["GHSA-cxfm-5m4g-x7xp","CVE-2021-39150"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.18","vulnerable_version_range":"\u003c 1.4.18"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:12:50.800Z","updated_at":"2023-01-27T05:02:32.000Z","epss_percentage":0.00897,"epss_percentile":0.74578},{"uuid":"GSA_kwCzR0hTQS1oZnE5LWhnZ20tYzU2cc4ABBEZ","url":"https://github.com/advisories/GHSA-hfq9-hggm-c56q","title":"XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream","description":"### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.\n\n### Patches\nXStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).\n\n### Credits\nAlexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2024-11-07T21:51:17.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.7,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P","references":["https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q","https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266","https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a","https://x-stream.github.io/CVE-2024-47072.html","https://nvd.nist.gov/vuln/detail/CVE-2024-47072","https://github.com/advisories/GHSA-hfq9-hggm-c56q"],"source_kind":"github","identifiers":["GHSA-hfq9-hggm-c56q","CVE-2024-47072"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":33.927998037582284,"packages":[{"versions":[{"first_patched_version":"1.4.21","vulnerable_version_range":"\u003c 1.4.21"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2024-11-07T22:06:53.914Z","updated_at":"2024-11-08T13:55:23.000Z","epss_percentage":0.00132,"epss_percentile":0.34165},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU2cDgtM2ZoOS00Y3Zx","url":"https://github.com/advisories/GHSA-56p8-3fh9-4cvq","title":"XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos)","description":"### Impact\nThe vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.\n\n### Patches\nIf you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.16.\n\n### Workarounds\nSee [workarounds](https://x-stream.github.io/security.html#workaround) for the different versions covering all CVEs.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2021-21348](https://x-stream.github.io/CVE-2021-21348.html).\n\n### Credits\nThe vulnerability was discovered and reported by threedr3am.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [XStream](https://github.com/x-stream/xstream/issues)\n* Contact us at [XStream Google Group](https://groups.google.com/group/xstream-user)","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-03-22T23:29:09.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/x-stream/xstream/security/advisories/GHSA-56p8-3fh9-4cvq","https://x-stream.github.io/security.html#workaround","http://x-stream.github.io/changes.html#1.4.16","https://nvd.nist.gov/vuln/detail/CVE-2021-21348","https://x-stream.github.io/CVE-2021-21348.html","https://lists.debian.org/debian-lts-announce/2021/04/msg00002.html","https://lists.apache.org/thread.html/r9ac71b047767205aa22e3a08cb33f3e0586de6b2fac48b425c6e16b0@%3Cdev.jmeter.apache.org%3E","https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E","https://security.netapp.com/advisory/ntap-20210430-0002/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/22KVR6B5IZP3BGQ3HPWIO2FWWCKT3DHP/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QGXIU3YDPG6OGTDHMBLAFN7BPBERXREB/","https://www.oracle.com//security-alerts/cpujul2021.html","https://www.oracle.com/security-alerts/cpuoct2021.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVPHZA7VW2RRSDCOIPP2W6O5ND254TU7/","https://www.debian.org/security/2021/dsa-5004","https://www.oracle.com/security-alerts/cpujan2022.html","https://github.com/advisories/GHSA-56p8-3fh9-4cvq"],"source_kind":"github","identifiers":["GHSA-56p8-3fh9-4cvq","CVE-2021-21348"],"repository_url":"https://github.com/x-stream/xstream","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"1.4.16","vulnerable_version_range":"\u003c 1.4.16"}],"ecosystem":"maven","package_name":"com.thoughtworks.xstream:xstream"}],"created_at":"2022-12-21T16:13:09.907Z","updated_at":"2023-02-01T05:05:12.000Z","epss_percentage":0.00204,"epss_percentile":0.43104}],"docker_usage_url":"https://docker.ecosyste.ms/usage/maven/com.thoughtworks.xstream:xstream","docker_dependents_count":8503,"docker_downloads_count":5023921787,"usage_url":"https://repos.ecosyste.ms/usage/maven/com.thoughtworks.xstream:xstream","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/maven/com.thoughtworks.xstream:xstream/dependencies","status":null,"funding_links":[],"critical":true,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/com.thoughtworks.xstream:xstream/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/com.thoughtworks.xstream:xstream/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/com.thoughtworks.xstream:xstream/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/com.thoughtworks.xstream:xstream/related_packages","maintainers":[],"registry":{"name":"repo1.maven.org","url":"https://repo.maven.apache.org/maven2","ecosystem":"maven","default":true,"packages_count":517640,"maintainers_count":0,"namespaces_count":68787,"keywords_count":32037,"github":"maven-central","metadata":{"funded_packages_count":24975},"icon_url":"https://github.com/maven-central.png","created_at":"2022-07-21T16:40:13.074Z","updated_at":"2025-06-06T05:59:03.422Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/namespaces"}},"unique_repositories_count":133,"unique_repositories_count_past_30_days":2,"recent_issues":[{"uuid":"4305085202","node_id":"PR_kwDOSBNS1c7UbHbf","number":12,"state":"open","title":"chore: bump the maven group across 1 directory with 2 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":null,"author_association":null,"state_reason":null,"created_at":"2026-04-21T20:21:51.000Z","updated_at":"2026-04-22T00:14:46.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore: bump","group_name":"maven","update_count":2,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bitbucket.b_c:jose4j","old_version":"0.9.3","new_version":"0.9.6"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 2 updates in the / directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.5 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bitbucket.b_c:jose4j` from 0.9.3 to 0.9.6\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1ec20f8716436857a3929f60e644d4de1e40bfd9\"\u003e\u003ccode\u003e1ec20f8\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e4da603d8ebd40f4f2080e24c9b906b9e3f31fc5\"\u003e\u003ccode\u003ee4da603\u003c/code\u003e\u003c/a\u003e Update slf4j-api to 1.7.36 to avoid CVE-2018-8088\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/b5720a2fde3fc0a1937737ead27863b404f0f458\"\u003e\u003ccode\u003eb5720a2\u003c/code\u003e\u003c/a\u003e Merged in master (pull request \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/25\"\u003e#25\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/72739aeeadb468db72d7944a6d8c3c2593dd2a9c\"\u003e\u003ccode\u003e72739ae\u003c/code\u003e\u003c/a\u003e fix spelling\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b31cd4461fd56750c499c139ca39f0\"\u003e\u003ccode\u003e1afaa1e\u003c/code\u003e\u003c/a\u003e Add the PBES2 algorithms to JWE's default blocked AlgorithmConstraints and pu...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/055225eae37ff00b9636376de292bd5848219a31\"\u003e\u003ccode\u003e055225e\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release jose4j-0.9.4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e2bdbdfced11842cad5f0a870bd79f267c6125b3\"\u003e\u003ccode\u003ee2bdbdf\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/3e97f620ad1c32c4f605cf850bbcc5414c9ca647\"\u003e\u003ccode\u003e3e97f62\u003c/code\u003e\u003c/a\u003e Attempt to provide somewhat better error messages for invalid JWTs (especiall...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/8b2316f94f910f525529239e1be807c9cb991ab8\"\u003e\u003ccode\u003e8b2316f\u003c/code\u003e\u003c/a\u003e JsonWebKey.Factory.newJwk(Key key) to throw an exception when given a private...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/fa33e980f158ac876348402c6f025403f4e6a51a\"\u003e\u003ccode\u003efa33e98\u003c/code\u003e\u003c/a\u003e Fix JWKS key resolution for ECDH-ES* decryption with OKP keys (issue \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/218\"\u003e#218\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.6..jose4j-0.9.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Cluster-Mesh/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Cluster-Mesh/WebGoat/pull/12","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cluster-Mesh%2FWebGoat/issues/12","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/12/packages"},{"uuid":"4134844315","node_id":"PR_kwDORiYEls7NUr51","number":1,"state":"closed","title":"Bump the maven group across 1 directory with 3 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-03-27T02:30:52.000Z","author_association":null,"state_reason":null,"created_at":"2026-03-25T11:52:54.000Z","updated_at":"2026-03-27T02:30:53.000Z","time_to_close":139078,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","group_name":"maven","update_count":3,"packages":[{"name":"org.apache.commons:commons-lang3","old_version":"3.15.0","new_version":"3.18.0"},{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.20","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bouncycastle:bcpkix-jdk18on","old_version":"1.78.1","new_version":"1.79","repository_url":"https://github.com/bcgit/bc-java"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 3 updates in the /core directory: org.apache.commons:commons-lang3, [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bouncycastle:bcpkix-jdk18on](https://github.com/bcgit/bc-java).\n\nUpdates `org.apache.commons:commons-lang3` from 3.15.0 to 3.18.0\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.20 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bouncycastle:bcpkix-jdk18on` from 1.78.1 to 1.79\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html\"\u003eorg.bouncycastle:bcpkix-jdk18on's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003cp\u003e\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e2.1.1 Version\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e\nRelease: 1.84\u003c!-- raw HTML omitted --\u003e\nDate:      TBD\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003cp\u003e\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e2.2.1 Version\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e\nRelease: 1.83\u003c!-- raw HTML omitted --\u003e\nDate:      2025, November 27th.\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/bcgit/bc-java/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ThalesGroup/igniterealtime_Spark/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/ThalesGroup/igniterealtime_Spark/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Figniterealtime_Spark/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"},{"uuid":"3984674649","node_id":"PR_kwDOCecuCs7F-51R","number":5,"state":"closed","title":"Bump the maven group across 3 directories with 8 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-04-10T23:55:49.000Z","author_association":null,"state_reason":null,"created_at":"2026-02-24T16:32:52.000Z","updated_at":"2026-04-10T23:55:50.000Z","time_to_close":3914577,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","group_name":"maven","update_count":8,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"com.h2database:h2","old_version":"1.3.170","new_version":"2.2.220","repository_url":"https://github.com/h2database/h2database"},{"name":"org.apache.logging.log4j:log4j-core","old_version":"2.5","new_version":"2.25.3"},{"name":"ch.qos.logback:logback-classic","old_version":"0.9.19","new_version":"1.2.13","repository_url":"https://github.com/qos-ch/logback"},{"name":"org.springframework:spring-context","old_version":"3.1.0.RELEASE","new_version":"6.1.20","repository_url":"https://github.com/spring-projects/spring-framework"},{"name":"org.springframework:spring-web","old_version":"3.1.0.RELEASE","new_version":"6.1.21","repository_url":"https://github.com/spring-projects/spring-framework"},{"name":"org.hibernate:hibernate-core","old_version":"3.6.9.Final","new_version":"5.3.20.Final","repository_url":"https://github.com/hibernate/hibernate-orm"},{"name":"junit:junit","old_version":"4.11","new_version":"4.13.1","repository_url":"https://github.com/junit-team/junit4"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /javamelody-collector-server directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\nBumps the maven group with 1 update in the /javamelody-swing directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\nBumps the maven group with 8 updates in the /javamelody-test-webapp directory:\n\n| Package | From | To |\n| --- | --- | --- |\n| [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) | `1.4.10` | `1.4.21` |\n| [com.h2database:h2](https://github.com/h2database/h2database) | `1.3.170` | `2.2.220` |\n| org.apache.logging.log4j:log4j-core | `2.5` | `2.25.3` |\n| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `0.9.19` | `1.2.13` |\n| [org.springframework:spring-context](https://github.com/spring-projects/spring-framework) | `3.1.0.RELEASE` | `6.1.20` |\n| [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) | `3.1.0.RELEASE` | `6.1.21` |\n| [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) | `3.6.9.Final` | `5.3.20.Final` |\n| [junit:junit](https://github.com/junit-team/junit4) | `4.11` | `4.13.1` |\n\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.h2database:h2` from 1.3.170 to 2.2.220\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/h2database/h2database/releases\"\u003ecom.h2database:h2's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eVersion 2.2.220\u003c/h2\u003e\n\u003cp\u003eChanges since 2.1.214 release:\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/h2database/h2database/commits/version-2.2.220\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.apache.logging.log4j:log4j-core` from 2.5 to 2.25.3\n\nUpdates `ch.qos.logback:logback-classic` from 0.9.19 to 1.2.13\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/2648b9e7fbb47426c89b9c93b411c07484e8f277\"\u003e\u003ccode\u003e2648b9e\u003c/code\u003e\u003c/a\u003e prepare release 1.2.13\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3\"\u003e\u003ccode\u003ebb09515\u003c/code\u003e\u003c/a\u003e fix CVE-2023-6378\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/45732949bfb845df04cbe65292cf48aaa090cb1d\"\u003e\u003ccode\u003e4573294\u003c/code\u003e\u003c/a\u003e start work on 1.2.13-SNAPSHOT\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/a388193052c298ca87cc64192319df723288c6ab\"\u003e\u003ccode\u003ea388193\u003c/code\u003e\u003c/a\u003e Merge branch 'branch_1.2.x' of github.com:qos-ch/logback into branch_1.2.x\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/de44dc422bc3da1d7808283851324d960b492d4d\"\u003e\u003ccode\u003ede44dc4\u003c/code\u003e\u003c/a\u003e prepare release 1.2.12\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/ca0cf172f680308938515b8a5d69348759ee947c\"\u003e\u003ccode\u003eca0cf17\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/qos-ch/logback/issues/532\"\u003e#532\u003c/a\u003e from joakime/fix-jetty-requestlog\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/e31609b1980b9ba986344aae3cab7275fa2b4935\"\u003e\u003ccode\u003ee31609b\u003c/code\u003e\u003c/a\u003e removed unused files\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/21e29efb284766f386781175b2ba18585b690154\"\u003e\u003ccode\u003e21e29ef\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/qos-ch/logback/issues/567\"\u003e#567\u003c/a\u003e from spliffone/LOGBACK-1633\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/e869000e1d5901e6aa6f46cc6575ee2137f15b69\"\u003e\u003ccode\u003ee869000\u003c/code\u003e\u003c/a\u003e fix: published POM file contain the wrong scm URL\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/009ea46cb81a015f2ca312bde6e823581b93b37a\"\u003e\u003ccode\u003e009ea46\u003c/code\u003e\u003c/a\u003e version for next dev cycle\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/qos-ch/logback/compare/release_0.9.19...v_1.2.13\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.springframework:spring-context` from 3.1.0.RELEASE to 6.1.20\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/spring-projects/spring-framework/releases\"\u003eorg.springframework:spring-context's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.20\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd option for case-insensitive match to PatternMatchUtils \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34802\"\u003e#34802\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34854\"\u003e#34854\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAccidental ClassLoader defineClass enforcement after \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34677\"\u003e#34677\u003c/a\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34839\"\u003e#34839\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eClarify \u003ccode\u003eCompositePropertySource\u003c/code\u003e behavior for \u003ccode\u003eEnumerablePropertySource\u003c/code\u003e contract \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34887\"\u003e#34887\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.18 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34899\"\u003e#34899\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.19\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSuggest compilation with \u003ccode\u003e-parameters\u003c/code\u003e when \u003ccode\u003eAspectJAdviceParameterNameDiscoverer\u003c/code\u003e fails against ambiguity \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34618\"\u003e#34618\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ePropertyBatchUpdateException\u003c/code\u003e: causes of nested \u003ccode\u003ePropertyAccessException\u003c/code\u003es not shown in output \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34698\"\u003e#34698\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eChange in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34694\"\u003e#34694\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eStartup performance regression due to CGLIB class load attempts in Spring 6.1.x \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34693\"\u003e#34693\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34690\"\u003e#34690\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@Configuration\u003c/code\u003e classes can no longer be \u003ccode\u003eabstract\u003c/code\u003e without \u003ccode\u003e@Bean\u003c/code\u003e methods \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34689\"\u003e#34689\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerated-code for LinkedHashMap is missing static keyword \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34661\"\u003e#34661\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34619\"\u003e#34619\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd javadoc notes on potential exception suppression in \u003ccode\u003eListableBeanFactory#getBeansOfType\u003c/code\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34631\"\u003e#34631\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRemove remaining references to Forwarded headers in MvcUriComponentsBuilder \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34626\"\u003e#34626\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMvcUriComponentsBuilder\u003c/code\u003e javadocs inaccurately reflects usage of forwarded headers \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34620\"\u003e#34620\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.18\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAvoid unnecessary CGLIB processing on configuration classes \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34487\"\u003e#34487\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eInconsistent default class loaders in hint classes \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34473\"\u003e#34473\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34515\"\u003e#34515\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEndless loop with DataSourceUtils in spring-jdbc \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34497\"\u003e#34497\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMockHttpServletResponse - handle multiple values for Content-Language header \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34491\"\u003e#34491\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/1f9c59b17b5a7afc69f28b694de4553d6b65c9d5\"\u003e\u003ccode\u003e1f9c59b\u003c/code\u003e\u003c/a\u003e Release v6.1.20\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/edfcc6ffb188e4614ec9b212e3208b666981851c\"\u003e\u003ccode\u003eedfcc6f\u003c/code\u003e\u003c/a\u003e Make use of PatternMatchUtils ignoreCase option\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/f93132b11ef6aa5718d20a05846828659c082fe8\"\u003e\u003ccode\u003ef93132b\u003c/code\u003e\u003c/a\u003e Add missing \u003ca href=\"https://github.com/since\"\u003e\u003ccode\u003e@​since\u003c/code\u003e\u003c/a\u003e tags in PatternMatchUtils\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/6ab4c84bd528d9480071d3dec4ff0b4904dbbb2f\"\u003e\u003ccode\u003e6ab4c84\u003c/code\u003e\u003c/a\u003e Upgrade to Reactor 2023.0.18\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/d5fca0d2c5d96b1a59a5814aa38c5f3b15238301\"\u003e\u003ccode\u003ed5fca0d\u003c/code\u003e\u003c/a\u003e Upgrade to Jetty 12.0.21, Netty 4.1.121, Apache HttpClient 5.4.4, Checkstyle ...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/cbb94193fe9f11d1af8b8958292b0edc8451cd4c\"\u003e\u003ccode\u003ecbb9419\u003c/code\u003e\u003c/a\u003e Clarify CompositePropertySource behavior for EnumerablePropertySource contract\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/5b5e2b68767537f204d8392201497805ce6562d7\"\u003e\u003ccode\u003e5b5e2b6\u003c/code\u003e\u003c/a\u003e Fix HttpClient 5.3.x request config compatibility\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/a5b0399a1d6f3e89ae3bbfeb0b13142ecaddb4e9\"\u003e\u003ccode\u003ea5b0399\u003c/code\u003e\u003c/a\u003e Polishing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/71f27256381d72170f9c6d38eea3032ceb24f030\"\u003e\u003ccode\u003e71f2725\u003c/code\u003e\u003c/a\u003e Try loadClass on LinkageError in case of same ClassLoader as well\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/daee9f1242264215876e67f6ef43b117195385c6\"\u003e\u003ccode\u003edaee9f1\u003c/code\u003e\u003c/a\u003e Reinstate the @⁠Inject Technology Compatibility Kit (TCK)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/spring-projects/spring-framework/compare/v3.1.0.RELEASE...v6.1.20\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.springframework:spring-web` from 3.1.0.RELEASE to 6.1.21\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/spring-projects/spring-framework/releases\"\u003eorg.springframework:spring-web's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.21\u003c/h2\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEncode non-printable character in Content-Disposition parameter \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35035\"\u003e#35035\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAllow update of existing \u003ccode\u003eWebSession\u003c/code\u003e after max sessions limit is reached \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35018\"\u003e#35018\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEnhanced configuration class fails to call package-visible superclass constructor on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34951\"\u003e#34951\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.19 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35022\"\u003e#35022\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.20\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd option for case-insensitive match to PatternMatchUtils \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34802\"\u003e#34802\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34854\"\u003e#34854\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAccidental ClassLoader defineClass enforcement after \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34677\"\u003e#34677\u003c/a\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34839\"\u003e#34839\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eClarify \u003ccode\u003eCompositePropertySource\u003c/code\u003e behavior for \u003ccode\u003eEnumerablePropertySource\u003c/code\u003e contract \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34887\"\u003e#34887\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.18 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34899\"\u003e#34899\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.19\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSuggest compilation with \u003ccode\u003e-parameters\u003c/code\u003e when \u003ccode\u003eAspectJAdviceParameterNameDiscoverer\u003c/code\u003e fails against ambiguity \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34618\"\u003e#34618\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ePropertyBatchUpdateException\u003c/code\u003e: causes of nested \u003ccode\u003ePropertyAccessException\u003c/code\u003es not shown in output \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34698\"\u003e#34698\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eChange in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34694\"\u003e#34694\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eStartup performance regression due to CGLIB class load attempts in Spring 6.1.x \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34693\"\u003e#34693\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34690\"\u003e#34690\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@Configuration\u003c/code\u003e classes can no longer be \u003ccode\u003eabstract\u003c/code\u003e without \u003ccode\u003e@Bean\u003c/code\u003e methods \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34689\"\u003e#34689\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerated-code for LinkedHashMap is missing static keyword \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34661\"\u003e#34661\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34619\"\u003e#34619\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd javadoc notes on potential exception suppression in \u003ccode\u003eListableBeanFactory#getBeansOfType\u003c/code\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34631\"\u003e#34631\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRemove remaining references to Forwarded headers in MvcUriComponentsBuilder \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34626\"\u003e#34626\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMvcUriComponentsBuilder\u003c/code\u003e javadocs inaccurately reflects usage of forwarded headers \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34620\"\u003e#34620\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/fa36b342ebafc488f29f7d30c8e69a3d4b988ae6\"\u003e\u003ccode\u003efa36b34\u003c/code\u003e\u003c/a\u003e Release v6.1.21\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/498ccda8fc354a905875a79f2d29e25a447b718b\"\u003e\u003ccode\u003e498ccda\u003c/code\u003e\u003c/a\u003e Upgrade to Gradle 8.14.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/fd68ea6fcbf94fc1d38bfefd3692fe094652ab3d\"\u003e\u003ccode\u003efd68ea6\u003c/code\u003e\u003c/a\u003e Encode non-printable character in Content-Disposition parameter\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/28caa39020a9f7d73f0c181ae265093bedbe9139\"\u003e\u003ccode\u003e28caa39\u003c/code\u003e\u003c/a\u003e Upgrade to Reactor 2023.0.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/8ecc553696cec1cc33a7c4c7e5748d0915f3c9b3\"\u003e\u003ccode\u003e8ecc553\u003c/code\u003e\u003c/a\u003e Polish contribution\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/cd44efaf687ce9a13e28e5569ee9c4fd4ee134f6\"\u003e\u003ccode\u003ecd44efa\u003c/code\u003e\u003c/a\u003e Allow update of existing WebSession after max sessions limit is reached\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/59d2895c8289642ba233de93f38e7a109fc971c1\"\u003e\u003ccode\u003e59d2895\u003c/code\u003e\u003c/a\u003e Fix InMemoryWebSessionStoreTests.startsSessionImplicitly() test\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/a876bb41af418c35ff3409146e29c28e4ed1b619\"\u003e\u003ccode\u003ea876bb4\u003c/code\u003e\u003c/a\u003e Polish WebSession support and tests\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/3b6becac014f55e896de7e28344e2863ff90425a\"\u003e\u003ccode\u003e3b6beca\u003c/code\u003e\u003c/a\u003e Check for package-visible constructor in case of ClassLoader mismatch\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/59ffbd7a598af7cc7ef3efa81061cb06a06371e5\"\u003e\u003ccode\u003e59ffbd7\u003c/code\u003e\u003c/a\u003e Test conversion support in PropertySourcesPlaceholderConfigurer\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/spring-projects/spring-framework/compare/v3.1.0.RELEASE...v6.1.21\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.hibernate:hibernate-core` from 3.6.9.Final to 5.3.20.Final\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/hibernate/hibernate-orm/blob/5.3.20/changelog.txt\"\u003eorg.hibernate:hibernate-core's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eChanges in 5.3.20.Final (November 16th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31894/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31894/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-14257] - An Entity A with a map collection having as index an Embeddable with a an association to the Entity A fails with a NPE\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14225] - CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled\n* [HHH-14324] - Add .gradletasknamecache to .gitignore\u003c/p\u003e\n\u003cp\u003e** Improvement\n* [HHH-14325] - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.19.Final (November 10th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31874/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31874/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-13310] - getParameterValue() not working for collections\n* [HHH-14275] - Broken link to Infinispan User Guide in Hibernate 5.3 User Guide\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14309] - Improve \u003ccode\u003eBulkOperationCleanupAction#affectedEntity\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003e** Sub-task\n* [HHH-14196] - Add parsing of persistence.xml/orm.xml documents in the EE 9 namespace\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.18.Final (August 5th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31849/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31849/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-12268] - LazyInitializationException thrown from lazy collection when batch fetching enabled and owning entity refreshed with lock\n* [HHH-13110] - \u003ca href=\"https://github.com/PreUpdate\"\u003e\u003ccode\u003e@​PreUpdate\u003c/code\u003e\u003c/a\u003e method on a Embeddable null on the parent caused NullPointerException\n* [HHH-13936] - No auto transaction joining from SessionImpl.doFlush\n* [HHH-14077] - CVE-2019-14900 SQL injection issue using JPA Criteria API\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14013] - Upgrade to Hibernate Validator 6.0.20.Final\n* [HHH-14096] - Removal of unused code: XMLHelper and its SAXReader factory helper\n* [HHH-14103] - Add test cases showing that an entity's transient attribute can be overridden to be persistent in entity subclasses\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.17.Final (April 30th, 2020)\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/64be512b7d8e54ff8d2b9f917bc4c03c6f7bd26b\"\u003e\u003ccode\u003e64be512\u003c/code\u003e\u003c/a\u003e 5.3.20\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/bc8e38a9a8cfd9235d87bf939e2e39225499f0f9\"\u003e\u003ccode\u003ebc8e38a\u003c/code\u003e\u003c/a\u003e HHH-14325 - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d5067eccf31fe111ddac022320093e483e8f049d\"\u003e\u003ccode\u003ed5067ec\u003c/code\u003e\u003c/a\u003e HHH-14325 - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/2896372dd5b29cb6266bff94455f80166a02f25e\"\u003e\u003ccode\u003e2896372\u003c/code\u003e\u003c/a\u003e HHH-14257 Add test for issue\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/00b3ccb8ecf21c84a07a4098bca8ca8bbac01017\"\u003e\u003ccode\u003e00b3ccb\u003c/code\u003e\u003c/a\u003e HHH-14257 An Entity A with a map collection having as index an Embeddable wit...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/bf0b86dfeab91630fa2a709a27764ad56b069919\"\u003e\u003ccode\u003ebf0b86d\u003c/code\u003e\u003c/a\u003e HHH-14324 Add .gradletasknamecache to .gitignore\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5\"\u003e\u003ccode\u003ed22bbb5\u003c/code\u003e\u003c/a\u003e HHH-14225 CVE-2020-25638 Potential for SQL injection on use_sql_comments logg...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d48e19d973c3b05d159d37caee667d6fedda32e3\"\u003e\u003ccode\u003ed48e19d\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/3f3d38d40e791d36623450d528d3a1c4e1e72c36\"\u003e\u003ccode\u003e3f3d38d\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/23dd258b7179dfa247886de1783b943de2dee603\"\u003e\u003ccode\u003e23dd258\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/hibernate/hibernate-orm/compare/3.6.9.Final...5.3.20\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `junit:junit` from 4.11 to 4.13.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/junit-team/junit4/releases\"\u003ejunit:junit's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eJUnit 4.13.1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.13.1.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.13.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 RC 2\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 RC 1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 3\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 2\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.12.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 3\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.12.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 2\u003c/h2\u003e\n\u003cp\u003eNo release notes provided.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 1\u003c/h2\u003e\n\u003cp\u003eNo release notes provided.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/1b683f4ec07bcfa40149f086d32240f805487e66\"\u003e\u003ccode\u003e1b683f4\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release r4.13.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/ce6ce3aadc070db2902698fe0d3dc6729cd631f2\"\u003e\u003ccode\u003ece6ce3a\u003c/code\u003e\u003c/a\u003e Draft 4.13.1 release notes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/c29dd8239d6b353e699397eb090a1fd27411fa24\"\u003e\u003ccode\u003ec29dd82\u003c/code\u003e\u003c/a\u003e Change version to 4.13.1-SNAPSHOT\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/1d174861f0b64f97ab0722bb324a760bfb02f567\"\u003e\u003ccode\u003e1d17486\u003c/code\u003e\u003c/a\u003e Add a link to assertThrows in exception testing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/543905df72ff10364b94dda27552efebf3dd04e9\"\u003e\u003ccode\u003e543905d\u003c/code\u003e\u003c/a\u003e Use separate line for annotation in Javadoc\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/510e906b391e7e46a346e1c852416dc7be934944\"\u003e\u003ccode\u003e510e906\u003c/code\u003e\u003c/a\u003e Add sub headlines to class Javadoc\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae\"\u003e\u003ccode\u003e610155b\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-269g-pwp5-87pp\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/b6cfd1e3d736cc2106242a8be799615b472c7fec\"\u003e\u003ccode\u003eb6cfd1e\u003c/code\u003e\u003c/a\u003e Explicitly wrap float parameter for consistency (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1671\"\u003e#1671\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/a5d205c7956dbed302b3bb5ecde5ba4299f0b646\"\u003e\u003ccode\u003ea5d205c\u003c/code\u003e\u003c/a\u003e Fix GitHub link in FAQ (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1672\"\u003e#1672\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/3a5c6b4d08f408c8ca6a8e0bae71a9bc5a8f97e8\"\u003e\u003ccode\u003e3a5c6b4\u003c/code\u003e\u003c/a\u003e Deprecated since jdk9 replacing constructor instance of Double and Float (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1660\"\u003e#1660\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/junit-team/junit4/compare/r4.11...r4.13.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Excecrable/javamelody/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Excecrable/javamelody/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Excecrable%2Fjavamelody/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"},{"uuid":"3670653005","node_id":"PR_kwDOPTFAcs610E2k","number":22,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.7 to 1.4.21 in /contrib/ambari-scom/ambari-scom-server","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-27T09:49:12.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-27T09:48:22.000Z","updated_at":"2025-11-27T09:49:20.000Z","time_to_close":50,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.7","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/contrib/ambari-scom/ambari-scom-server","ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.7 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.7\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AndresMaqueo/ambari/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/AndresMaqueo/ambari/pull/22","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/AndresMaqueo%2Fambari/issues/22","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/22/packages"},{"uuid":"3668595467","node_id":"PR_kwDOP7u-Ac61tQqe","number":1,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.10 to 1.4.21 in /services/user-service in the maven group across 1 directory","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-26T18:25:46.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-26T18:19:49.000Z","updated_at":"2025-11-26T18:25:48.000Z","time_to_close":357,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/services/user-service in the maven group across 1 directory","ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /services/user-service directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.10\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/og-dmacinnes/vulnshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/og-dmacinnes/vulnshop/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/og-dmacinnes%2Fvulnshop/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"},{"uuid":"3660320965","node_id":"PR_kwDOQcN32M61Rlic","number":4,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-26T18:36:34.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-24T19:54:42.000Z","updated_at":"2025-11-26T18:36:36.000Z","time_to_close":168112,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/testOnboarding-Jie/WebGoat/pull/4","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/testOnboarding-Jie%2FWebGoat/issues/4","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/4/packages"},{"uuid":"2893847241","node_id":"PR_kwDOP93AT86sfJrJ","number":5,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-07T12:39:03.000Z","updated_at":"2025-10-07T12:39:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/sig-chakrava/webgoat_source/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/sig-chakrava%2Fwebgoat_source/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"},{"uuid":"2889359830","node_id":"PR_kwDOC1evIc6sOCHW","number":40,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.17 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-06T09:03:44.000Z","updated_at":"2025-10-06T09:03:45.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.17","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.17 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.17\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/marcomarasca/Synapse-Repository-Services/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/marcomarasca/Synapse-Repository-Services/pull/40","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcomarasca%2FSynapse-Repository-Services/issues/40","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/40/packages"},{"uuid":"2888900879","node_id":"PR_kwDOPn-U5M6sMSEP","number":17,"state":"open","title":"chore: bump the maven group across 1 directory with 2 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-06T05:56:42.000Z","updated_at":"2025-10-06T05:56:43.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore: bump","group_name":"maven","update_count":2,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bitbucket.b_c:jose4j","old_version":"0.9.3","new_version":"0.9.4"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 2 updates in the / directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.5 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bitbucket.b_c:jose4j` from 0.9.3 to 0.9.4\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1ec20f8716436857a3929f60e644d4de1e40bfd9\"\u003e\u003ccode\u003e1ec20f8\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e4da603d8ebd40f4f2080e24c9b906b9e3f31fc5\"\u003e\u003ccode\u003ee4da603\u003c/code\u003e\u003c/a\u003e Update slf4j-api to 1.7.36 to avoid CVE-2018-8088\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/b5720a2fde3fc0a1937737ead27863b404f0f458\"\u003e\u003ccode\u003eb5720a2\u003c/code\u003e\u003c/a\u003e Merged in master (pull request \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/25\"\u003e#25\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/72739aeeadb468db72d7944a6d8c3c2593dd2a9c\"\u003e\u003ccode\u003e72739ae\u003c/code\u003e\u003c/a\u003e fix spelling\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b31cd4461fd56750c499c139ca39f0\"\u003e\u003ccode\u003e1afaa1e\u003c/code\u003e\u003c/a\u003e Add the PBES2 algorithms to JWE's default blocked AlgorithmConstraints and pu...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/055225eae37ff00b9636376de292bd5848219a31\"\u003e\u003ccode\u003e055225e\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release jose4j-0.9.4\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.4..jose4j-0.9.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kalinowskiremi/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/kalinowskiremi/WebGoat/pull/17","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalinowskiremi%2FWebGoat/issues/17","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/17/packages"},{"uuid":"2883121571","node_id":"PR_kwDONDf1os6r2PGj","number":1,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.10 to 1.4.21 in /redhat/training/pam/project in the maven group across 1 directory","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-02T21:33:40.000Z","updated_at":"2025-10-02T21:33:41.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/redhat/training/pam/project in the maven group across 1 directory","ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /redhat/training/pam/project directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.10\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/offsoc/docker_env/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/offsoc/docker_env/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/offsoc%2Fdocker_env/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"},{"uuid":"2877574895","node_id":"PR_kwDOAz8e_M6rhE7v","number":258,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.19 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-10-01T09:45:30.000Z","updated_at":"2025-10-01T09:45:31.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.19","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.19\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hazelcast/hazelcast-eureka/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/hazelcast/hazelcast-eureka/pull/258","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazelcast%2Fhazelcast-eureka/issues/258","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/258/packages"},{"uuid":"2869250465","node_id":"PR_kwDOFKHe-c6rBUmh","number":62,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.19 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-29T06:37:27.000Z","updated_at":"2025-09-29T06:37:28.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.19","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=gradle\u0026previous-version=1.4.19\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/piacenti/dsl-maker/pull/62","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/piacenti%2Fdsl-maker/issues/62","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/62/packages"},{"uuid":"2867609985","node_id":"PR_kwDOPn-U5M6q7EGB","number":13,"state":"closed","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-10-06T05:56:44.000Z","author_association":"NONE","state_reason":null,"created_at":"2025-09-28T11:10:51.000Z","updated_at":"2025-10-06T05:56:44.000Z","time_to_close":672353,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kalinowskiremi/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/kalinowskiremi/WebGoat/pull/13","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalinowskiremi%2FWebGoat/issues/13","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/13/packages"},{"uuid":"2866645921","node_id":"PR_kwDOP4BEYs6q3Yuh","number":5,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:53:03.000Z","updated_at":"2025-09-27T15:53:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amills4421/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/amills4421/webgoat-security-workshop/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/amills4421%2Fwebgoat-security-workshop/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"},{"uuid":"2866644180","node_id":"PR_kwDOP4AvQ86q3YTU","number":6,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:51:28.000Z","updated_at":"2025-09-27T15:51:29.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/HenryWu7175/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/HenryWu7175/webgoat-security-workshop/pull/6","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/HenryWu7175%2Fwebgoat-security-workshop/issues/6","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/6/packages"},{"uuid":"2866643354","node_id":"PR_kwDOP4AyLc6q3YGa","number":8,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:50:03.000Z","updated_at":"2025-09-27T15:50:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/IsabellaSlome/webgoat-security-workshop/pull/8","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/IsabellaSlome%2Fwebgoat-security-workshop/issues/8","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/8/packages"},{"uuid":"2866643080","node_id":"PR_kwDOP4Av9c6q3YCI","number":10,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:49:34.000Z","updated_at":"2025-09-27T15:49:34.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Felix-Hardjana/sast-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Felix-Hardjana/sast-workshop/pull/10","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Felix-Hardjana%2Fsast-workshop/issues/10","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/10/packages"},{"uuid":"2866642801","node_id":"PR_kwDOP4A5vc6q3X9x","number":5,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-09-27T15:49:09.000Z","updated_at":"2025-09-27T15:49:10.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/MigiIsRight/WebGoat/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/MigiIsRight%2FWebGoat/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"},{"uuid":"2866633890","node_id":"PR_kwDOP4A9b86q3Vyi","number":4,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:36:12.000Z","updated_at":"2025-09-27T15:36:13.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Mythicalhoppa/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Mythicalhoppa/webgoat-security-workshop/pull/4","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mythicalhoppa%2Fwebgoat-security-workshop/issues/4","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/4/packages"},{"uuid":"3442557768","node_id":"PR_kwDOGh5jPc6p7e8_","number":241,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.18 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java","Stale"],"assignees":[],"locked":false,"comments_count":3,"pull_request":true,"closed_at":null,"author_association":null,"state_reason":null,"created_at":"2025-09-22T20:01:45.000Z","updated_at":"2025-12-26T03:01:15.893Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.18","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.18 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=gradle\u0026previous-version=1.4.18\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/thinking-github/conductor/pull/241","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinking-github%2Fconductor/issues/241","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/241/packages"}],"issue_packages":[{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2026-04-21T20:21:51.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"4305085202","node_id":"PR_kwDOSBNS1c7UbHbf","number":12,"state":"open","title":"chore: bump the maven group across 1 directory with 2 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":null,"author_association":null,"state_reason":null,"created_at":"2026-04-21T20:21:51.000Z","updated_at":"2026-04-22T00:14:46.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore: bump","group_name":"maven","update_count":2,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bitbucket.b_c:jose4j","old_version":"0.9.3","new_version":"0.9.6"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 2 updates in the / directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.5 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bitbucket.b_c:jose4j` from 0.9.3 to 0.9.6\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1ec20f8716436857a3929f60e644d4de1e40bfd9\"\u003e\u003ccode\u003e1ec20f8\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e4da603d8ebd40f4f2080e24c9b906b9e3f31fc5\"\u003e\u003ccode\u003ee4da603\u003c/code\u003e\u003c/a\u003e Update slf4j-api to 1.7.36 to avoid CVE-2018-8088\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/b5720a2fde3fc0a1937737ead27863b404f0f458\"\u003e\u003ccode\u003eb5720a2\u003c/code\u003e\u003c/a\u003e Merged in master (pull request \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/25\"\u003e#25\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/72739aeeadb468db72d7944a6d8c3c2593dd2a9c\"\u003e\u003ccode\u003e72739ae\u003c/code\u003e\u003c/a\u003e fix spelling\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b31cd4461fd56750c499c139ca39f0\"\u003e\u003ccode\u003e1afaa1e\u003c/code\u003e\u003c/a\u003e Add the PBES2 algorithms to JWE's default blocked AlgorithmConstraints and pu...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/055225eae37ff00b9636376de292bd5848219a31\"\u003e\u003ccode\u003e055225e\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release jose4j-0.9.4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e2bdbdfced11842cad5f0a870bd79f267c6125b3\"\u003e\u003ccode\u003ee2bdbdf\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/3e97f620ad1c32c4f605cf850bbcc5414c9ca647\"\u003e\u003ccode\u003e3e97f62\u003c/code\u003e\u003c/a\u003e Attempt to provide somewhat better error messages for invalid JWTs (especiall...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/8b2316f94f910f525529239e1be807c9cb991ab8\"\u003e\u003ccode\u003e8b2316f\u003c/code\u003e\u003c/a\u003e JsonWebKey.Factory.newJwk(Key key) to throw an exception when given a private...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/fa33e980f158ac876348402c6f025403f4e6a51a\"\u003e\u003ccode\u003efa33e98\u003c/code\u003e\u003c/a\u003e Fix JWKS key resolution for ECDH-ES* decryption with OKP keys (issue \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/218\"\u003e#218\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.6..jose4j-0.9.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Cluster-Mesh/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Cluster-Mesh/WebGoat/pull/12","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cluster-Mesh%2FWebGoat/issues/12","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/12/packages"}},{"old_version":"1.4.20","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2026-03-25T11:52:54.000Z","version_change":"1.4.20 → 1.4.21","issue":{"uuid":"4134844315","node_id":"PR_kwDORiYEls7NUr51","number":1,"state":"closed","title":"Bump the maven group across 1 directory with 3 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-03-27T02:30:52.000Z","author_association":null,"state_reason":null,"created_at":"2026-03-25T11:52:54.000Z","updated_at":"2026-03-27T02:30:53.000Z","time_to_close":139078,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","group_name":"maven","update_count":3,"packages":[{"name":"org.apache.commons:commons-lang3","old_version":"3.15.0","new_version":"3.18.0"},{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.20","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bouncycastle:bcpkix-jdk18on","old_version":"1.78.1","new_version":"1.79","repository_url":"https://github.com/bcgit/bc-java"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 3 updates in the /core directory: org.apache.commons:commons-lang3, [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bouncycastle:bcpkix-jdk18on](https://github.com/bcgit/bc-java).\n\nUpdates `org.apache.commons:commons-lang3` from 3.15.0 to 3.18.0\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.20 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bouncycastle:bcpkix-jdk18on` from 1.78.1 to 1.79\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html\"\u003eorg.bouncycastle:bcpkix-jdk18on's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003cp\u003e\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e2.1.1 Version\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e\nRelease: 1.84\u003c!-- raw HTML omitted --\u003e\nDate:      TBD\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003cp\u003e\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e2.2.1 Version\u003c!-- raw HTML omitted --\u003e\u003c!-- raw HTML omitted --\u003e\nRelease: 1.83\u003c!-- raw HTML omitted --\u003e\nDate:      2025, November 27th.\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/bcgit/bc-java/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ThalesGroup/igniterealtime_Spark/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/ThalesGroup/igniterealtime_Spark/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Figniterealtime_Spark/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"}},{"old_version":"1.4.10","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2026-02-24T16:32:52.000Z","version_change":"1.4.10 → 1.4.21","issue":{"uuid":"3984674649","node_id":"PR_kwDOCecuCs7F-51R","number":5,"state":"closed","title":"Bump the maven group across 3 directories with 8 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-04-10T23:55:49.000Z","author_association":null,"state_reason":null,"created_at":"2026-02-24T16:32:52.000Z","updated_at":"2026-04-10T23:55:50.000Z","time_to_close":3914577,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","group_name":"maven","update_count":8,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"com.h2database:h2","old_version":"1.3.170","new_version":"2.2.220","repository_url":"https://github.com/h2database/h2database"},{"name":"org.apache.logging.log4j:log4j-core","old_version":"2.5","new_version":"2.25.3"},{"name":"ch.qos.logback:logback-classic","old_version":"0.9.19","new_version":"1.2.13","repository_url":"https://github.com/qos-ch/logback"},{"name":"org.springframework:spring-context","old_version":"3.1.0.RELEASE","new_version":"6.1.20","repository_url":"https://github.com/spring-projects/spring-framework"},{"name":"org.springframework:spring-web","old_version":"3.1.0.RELEASE","new_version":"6.1.21","repository_url":"https://github.com/spring-projects/spring-framework"},{"name":"org.hibernate:hibernate-core","old_version":"3.6.9.Final","new_version":"5.3.20.Final","repository_url":"https://github.com/hibernate/hibernate-orm"},{"name":"junit:junit","old_version":"4.11","new_version":"4.13.1","repository_url":"https://github.com/junit-team/junit4"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /javamelody-collector-server directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\nBumps the maven group with 1 update in the /javamelody-swing directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\nBumps the maven group with 8 updates in the /javamelody-test-webapp directory:\n\n| Package | From | To |\n| --- | --- | --- |\n| [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) | `1.4.10` | `1.4.21` |\n| [com.h2database:h2](https://github.com/h2database/h2database) | `1.3.170` | `2.2.220` |\n| org.apache.logging.log4j:log4j-core | `2.5` | `2.25.3` |\n| [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) | `0.9.19` | `1.2.13` |\n| [org.springframework:spring-context](https://github.com/spring-projects/spring-framework) | `3.1.0.RELEASE` | `6.1.20` |\n| [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) | `3.1.0.RELEASE` | `6.1.21` |\n| [org.hibernate:hibernate-core](https://github.com/hibernate/hibernate-orm) | `3.6.9.Final` | `5.3.20.Final` |\n| [junit:junit](https://github.com/junit-team/junit4) | `4.11` | `4.13.1` |\n\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `com.h2database:h2` from 1.3.170 to 2.2.220\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/h2database/h2database/releases\"\u003ecom.h2database:h2's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eVersion 2.2.220\u003c/h2\u003e\n\u003cp\u003eChanges since 2.1.214 release:\u003c/p\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/h2database/h2database/commits/version-2.2.220\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.apache.logging.log4j:log4j-core` from 2.5 to 2.25.3\n\nUpdates `ch.qos.logback:logback-classic` from 0.9.19 to 1.2.13\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/2648b9e7fbb47426c89b9c93b411c07484e8f277\"\u003e\u003ccode\u003e2648b9e\u003c/code\u003e\u003c/a\u003e prepare release 1.2.13\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3\"\u003e\u003ccode\u003ebb09515\u003c/code\u003e\u003c/a\u003e fix CVE-2023-6378\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/45732949bfb845df04cbe65292cf48aaa090cb1d\"\u003e\u003ccode\u003e4573294\u003c/code\u003e\u003c/a\u003e start work on 1.2.13-SNAPSHOT\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/a388193052c298ca87cc64192319df723288c6ab\"\u003e\u003ccode\u003ea388193\u003c/code\u003e\u003c/a\u003e Merge branch 'branch_1.2.x' of github.com:qos-ch/logback into branch_1.2.x\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/de44dc422bc3da1d7808283851324d960b492d4d\"\u003e\u003ccode\u003ede44dc4\u003c/code\u003e\u003c/a\u003e prepare release 1.2.12\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/ca0cf172f680308938515b8a5d69348759ee947c\"\u003e\u003ccode\u003eca0cf17\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/qos-ch/logback/issues/532\"\u003e#532\u003c/a\u003e from joakime/fix-jetty-requestlog\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/e31609b1980b9ba986344aae3cab7275fa2b4935\"\u003e\u003ccode\u003ee31609b\u003c/code\u003e\u003c/a\u003e removed unused files\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/21e29efb284766f386781175b2ba18585b690154\"\u003e\u003ccode\u003e21e29ef\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/qos-ch/logback/issues/567\"\u003e#567\u003c/a\u003e from spliffone/LOGBACK-1633\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/e869000e1d5901e6aa6f46cc6575ee2137f15b69\"\u003e\u003ccode\u003ee869000\u003c/code\u003e\u003c/a\u003e fix: published POM file contain the wrong scm URL\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/qos-ch/logback/commit/009ea46cb81a015f2ca312bde6e823581b93b37a\"\u003e\u003ccode\u003e009ea46\u003c/code\u003e\u003c/a\u003e version for next dev cycle\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/qos-ch/logback/compare/release_0.9.19...v_1.2.13\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.springframework:spring-context` from 3.1.0.RELEASE to 6.1.20\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/spring-projects/spring-framework/releases\"\u003eorg.springframework:spring-context's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.20\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd option for case-insensitive match to PatternMatchUtils \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34802\"\u003e#34802\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34854\"\u003e#34854\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAccidental ClassLoader defineClass enforcement after \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34677\"\u003e#34677\u003c/a\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34839\"\u003e#34839\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eClarify \u003ccode\u003eCompositePropertySource\u003c/code\u003e behavior for \u003ccode\u003eEnumerablePropertySource\u003c/code\u003e contract \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34887\"\u003e#34887\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.18 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34899\"\u003e#34899\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.19\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSuggest compilation with \u003ccode\u003e-parameters\u003c/code\u003e when \u003ccode\u003eAspectJAdviceParameterNameDiscoverer\u003c/code\u003e fails against ambiguity \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34618\"\u003e#34618\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ePropertyBatchUpdateException\u003c/code\u003e: causes of nested \u003ccode\u003ePropertyAccessException\u003c/code\u003es not shown in output \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34698\"\u003e#34698\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eChange in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34694\"\u003e#34694\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eStartup performance regression due to CGLIB class load attempts in Spring 6.1.x \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34693\"\u003e#34693\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34690\"\u003e#34690\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@Configuration\u003c/code\u003e classes can no longer be \u003ccode\u003eabstract\u003c/code\u003e without \u003ccode\u003e@Bean\u003c/code\u003e methods \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34689\"\u003e#34689\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerated-code for LinkedHashMap is missing static keyword \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34661\"\u003e#34661\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34619\"\u003e#34619\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd javadoc notes on potential exception suppression in \u003ccode\u003eListableBeanFactory#getBeansOfType\u003c/code\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34631\"\u003e#34631\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRemove remaining references to Forwarded headers in MvcUriComponentsBuilder \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34626\"\u003e#34626\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMvcUriComponentsBuilder\u003c/code\u003e javadocs inaccurately reflects usage of forwarded headers \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34620\"\u003e#34620\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.18\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAvoid unnecessary CGLIB processing on configuration classes \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34487\"\u003e#34487\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eInconsistent default class loaders in hint classes \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34473\"\u003e#34473\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDefaultManagedTaskExecutor throws java.lang.UnsupportedOperationException: isShutdown when rejecting tasks \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34515\"\u003e#34515\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEndless loop with DataSourceUtils in spring-jdbc \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34497\"\u003e#34497\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMockHttpServletResponse - handle multiple values for Content-Language header \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34491\"\u003e#34491\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/1f9c59b17b5a7afc69f28b694de4553d6b65c9d5\"\u003e\u003ccode\u003e1f9c59b\u003c/code\u003e\u003c/a\u003e Release v6.1.20\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/edfcc6ffb188e4614ec9b212e3208b666981851c\"\u003e\u003ccode\u003eedfcc6f\u003c/code\u003e\u003c/a\u003e Make use of PatternMatchUtils ignoreCase option\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/f93132b11ef6aa5718d20a05846828659c082fe8\"\u003e\u003ccode\u003ef93132b\u003c/code\u003e\u003c/a\u003e Add missing \u003ca href=\"https://github.com/since\"\u003e\u003ccode\u003e@​since\u003c/code\u003e\u003c/a\u003e tags in PatternMatchUtils\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/6ab4c84bd528d9480071d3dec4ff0b4904dbbb2f\"\u003e\u003ccode\u003e6ab4c84\u003c/code\u003e\u003c/a\u003e Upgrade to Reactor 2023.0.18\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/d5fca0d2c5d96b1a59a5814aa38c5f3b15238301\"\u003e\u003ccode\u003ed5fca0d\u003c/code\u003e\u003c/a\u003e Upgrade to Jetty 12.0.21, Netty 4.1.121, Apache HttpClient 5.4.4, Checkstyle ...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/cbb94193fe9f11d1af8b8958292b0edc8451cd4c\"\u003e\u003ccode\u003ecbb9419\u003c/code\u003e\u003c/a\u003e Clarify CompositePropertySource behavior for EnumerablePropertySource contract\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/5b5e2b68767537f204d8392201497805ce6562d7\"\u003e\u003ccode\u003e5b5e2b6\u003c/code\u003e\u003c/a\u003e Fix HttpClient 5.3.x request config compatibility\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/a5b0399a1d6f3e89ae3bbfeb0b13142ecaddb4e9\"\u003e\u003ccode\u003ea5b0399\u003c/code\u003e\u003c/a\u003e Polishing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/71f27256381d72170f9c6d38eea3032ceb24f030\"\u003e\u003ccode\u003e71f2725\u003c/code\u003e\u003c/a\u003e Try loadClass on LinkageError in case of same ClassLoader as well\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/daee9f1242264215876e67f6ef43b117195385c6\"\u003e\u003ccode\u003edaee9f1\u003c/code\u003e\u003c/a\u003e Reinstate the @⁠Inject Technology Compatibility Kit (TCK)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/spring-projects/spring-framework/compare/v3.1.0.RELEASE...v6.1.20\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.springframework:spring-web` from 3.1.0.RELEASE to 6.1.21\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/spring-projects/spring-framework/releases\"\u003eorg.springframework:spring-web's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.21\u003c/h2\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEncode non-printable character in Content-Disposition parameter \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35035\"\u003e#35035\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAllow update of existing \u003ccode\u003eWebSession\u003c/code\u003e after max sessions limit is reached \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35018\"\u003e#35018\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eEnhanced configuration class fails to call package-visible superclass constructor on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34951\"\u003e#34951\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.19 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/35022\"\u003e#35022\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.20\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd option for case-insensitive match to PatternMatchUtils \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34802\"\u003e#34802\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHttpComponentsClientHttpRequestFactory setConnectionRequestTimeout not working with httpclient 5.3.1 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34854\"\u003e#34854\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAccidental ClassLoader defineClass enforcement after \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34677\"\u003e#34677\u003c/a\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34839\"\u003e#34839\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eClarify \u003ccode\u003eCompositePropertySource\u003c/code\u003e behavior for \u003ccode\u003eEnumerablePropertySource\u003c/code\u003e contract \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34887\"\u003e#34887\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:hammer: Dependency Upgrades\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Reactor 2023.0.18 \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34899\"\u003e#34899\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.19\u003c/h2\u003e\n\u003ch2\u003e:star: New Features\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSuggest compilation with \u003ccode\u003e-parameters\u003c/code\u003e when \u003ccode\u003eAspectJAdviceParameterNameDiscoverer\u003c/code\u003e fails against ambiguity \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34618\"\u003e#34618\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:lady_beetle: Bug Fixes\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003ePropertyBatchUpdateException\u003c/code\u003e: causes of nested \u003ccode\u003ePropertyAccessException\u003c/code\u003es not shown in output \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34698\"\u003e#34698\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eChange in Jar usecache behavior with Spring 6.1.x causing java.lang.IllegalStateException: zip file closed \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34694\"\u003e#34694\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eStartup performance regression due to CGLIB class load attempts in Spring 6.1.x \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34693\"\u003e#34693\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eIllegalAccessError for package-private member of AzureStorageConfiguration on WebSphere \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34690\"\u003e#34690\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003e@Configuration\u003c/code\u003e classes can no longer be \u003ccode\u003eabstract\u003c/code\u003e without \u003ccode\u003e@Bean\u003c/code\u003e methods \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34689\"\u003e#34689\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerated-code for LinkedHashMap is missing static keyword \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34661\"\u003e#34661\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAbstractReactiveTransactionManager throws IllegalStateException when rollback fails after commit attempt \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34619\"\u003e#34619\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e:notebook_with_decorative_cover: Documentation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd javadoc notes on potential exception suppression in \u003ccode\u003eListableBeanFactory#getBeansOfType\u003c/code\u003e \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34631\"\u003e#34631\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRemove remaining references to Forwarded headers in MvcUriComponentsBuilder \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34626\"\u003e#34626\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eMvcUriComponentsBuilder\u003c/code\u003e javadocs inaccurately reflects usage of forwarded headers \u003ca href=\"https://redirect.github.com/spring-projects/spring-framework/issues/34620\"\u003e#34620\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/fa36b342ebafc488f29f7d30c8e69a3d4b988ae6\"\u003e\u003ccode\u003efa36b34\u003c/code\u003e\u003c/a\u003e Release v6.1.21\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/498ccda8fc354a905875a79f2d29e25a447b718b\"\u003e\u003ccode\u003e498ccda\u003c/code\u003e\u003c/a\u003e Upgrade to Gradle 8.14.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/fd68ea6fcbf94fc1d38bfefd3692fe094652ab3d\"\u003e\u003ccode\u003efd68ea6\u003c/code\u003e\u003c/a\u003e Encode non-printable character in Content-Disposition parameter\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/28caa39020a9f7d73f0c181ae265093bedbe9139\"\u003e\u003ccode\u003e28caa39\u003c/code\u003e\u003c/a\u003e Upgrade to Reactor 2023.0.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/8ecc553696cec1cc33a7c4c7e5748d0915f3c9b3\"\u003e\u003ccode\u003e8ecc553\u003c/code\u003e\u003c/a\u003e Polish contribution\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/cd44efaf687ce9a13e28e5569ee9c4fd4ee134f6\"\u003e\u003ccode\u003ecd44efa\u003c/code\u003e\u003c/a\u003e Allow update of existing WebSession after max sessions limit is reached\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/59d2895c8289642ba233de93f38e7a109fc971c1\"\u003e\u003ccode\u003e59d2895\u003c/code\u003e\u003c/a\u003e Fix InMemoryWebSessionStoreTests.startsSessionImplicitly() test\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/a876bb41af418c35ff3409146e29c28e4ed1b619\"\u003e\u003ccode\u003ea876bb4\u003c/code\u003e\u003c/a\u003e Polish WebSession support and tests\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/3b6becac014f55e896de7e28344e2863ff90425a\"\u003e\u003ccode\u003e3b6beca\u003c/code\u003e\u003c/a\u003e Check for package-visible constructor in case of ClassLoader mismatch\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/spring-projects/spring-framework/commit/59ffbd7a598af7cc7ef3efa81061cb06a06371e5\"\u003e\u003ccode\u003e59ffbd7\u003c/code\u003e\u003c/a\u003e Test conversion support in PropertySourcesPlaceholderConfigurer\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/spring-projects/spring-framework/compare/v3.1.0.RELEASE...v6.1.21\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.hibernate:hibernate-core` from 3.6.9.Final to 5.3.20.Final\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/hibernate/hibernate-orm/blob/5.3.20/changelog.txt\"\u003eorg.hibernate:hibernate-core's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eChanges in 5.3.20.Final (November 16th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31894/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31894/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-14257] - An Entity A with a map collection having as index an Embeddable with a an association to the Entity A fails with a NPE\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14225] - CVE-2020-25638 Potential for SQL injection on use_sql_comments logging enabled\n* [HHH-14324] - Add .gradletasknamecache to .gitignore\u003c/p\u003e\n\u003cp\u003e** Improvement\n* [HHH-14325] - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.19.Final (November 10th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31874/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31874/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-13310] - getParameterValue() not working for collections\n* [HHH-14275] - Broken link to Infinispan User Guide in Hibernate 5.3 User Guide\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14309] - Improve \u003ccode\u003eBulkOperationCleanupAction#affectedEntity\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003e** Sub-task\n* [HHH-14196] - Add parsing of persistence.xml/orm.xml documents in the EE 9 namespace\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.18.Final (August 5th, 2020)\u003c/h2\u003e\n\u003cp\u003e\u003ca href=\"https://hibernate.atlassian.net/projects/HHH/versions/31849/tab/release-report-all-issues\"\u003ehttps://hibernate.atlassian.net/projects/HHH/versions/31849/tab/release-report-all-issues\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e** Bug\n* [HHH-12268] - LazyInitializationException thrown from lazy collection when batch fetching enabled and owning entity refreshed with lock\n* [HHH-13110] - \u003ca href=\"https://github.com/PreUpdate\"\u003e\u003ccode\u003e@​PreUpdate\u003c/code\u003e\u003c/a\u003e method on a Embeddable null on the parent caused NullPointerException\n* [HHH-13936] - No auto transaction joining from SessionImpl.doFlush\n* [HHH-14077] - CVE-2019-14900 SQL injection issue using JPA Criteria API\u003c/p\u003e\n\u003cp\u003e** Task\n* [HHH-14013] - Upgrade to Hibernate Validator 6.0.20.Final\n* [HHH-14096] - Removal of unused code: XMLHelper and its SAXReader factory helper\n* [HHH-14103] - Add test cases showing that an entity's transient attribute can be overridden to be persistent in entity subclasses\u003c/p\u003e\n\u003ch2\u003eChanges in 5.3.17.Final (April 30th, 2020)\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/64be512b7d8e54ff8d2b9f917bc4c03c6f7bd26b\"\u003e\u003ccode\u003e64be512\u003c/code\u003e\u003c/a\u003e 5.3.20\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/bc8e38a9a8cfd9235d87bf939e2e39225499f0f9\"\u003e\u003ccode\u003ebc8e38a\u003c/code\u003e\u003c/a\u003e HHH-14325 - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d5067eccf31fe111ddac022320093e483e8f049d\"\u003e\u003ccode\u003ed5067ec\u003c/code\u003e\u003c/a\u003e HHH-14325 - Add Query hint for specifying \u0026quot;query spaces\u0026quot; for native queries\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/2896372dd5b29cb6266bff94455f80166a02f25e\"\u003e\u003ccode\u003e2896372\u003c/code\u003e\u003c/a\u003e HHH-14257 Add test for issue\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/00b3ccb8ecf21c84a07a4098bca8ca8bbac01017\"\u003e\u003ccode\u003e00b3ccb\u003c/code\u003e\u003c/a\u003e HHH-14257 An Entity A with a map collection having as index an Embeddable wit...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/bf0b86dfeab91630fa2a709a27764ad56b069919\"\u003e\u003ccode\u003ebf0b86d\u003c/code\u003e\u003c/a\u003e HHH-14324 Add .gradletasknamecache to .gitignore\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d22bbb5c339c9df7712c3365bb1df97c91b35ec5\"\u003e\u003ccode\u003ed22bbb5\u003c/code\u003e\u003c/a\u003e HHH-14225 CVE-2020-25638 Potential for SQL injection on use_sql_comments logg...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/d48e19d973c3b05d159d37caee667d6fedda32e3\"\u003e\u003ccode\u003ed48e19d\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/3f3d38d40e791d36623450d528d3a1c4e1e72c36\"\u003e\u003ccode\u003e3f3d38d\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/hibernate/hibernate-orm/commit/23dd258b7179dfa247886de1783b943de2dee603\"\u003e\u003ccode\u003e23dd258\u003c/code\u003e\u003c/a\u003e 5.3.19\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/hibernate/hibernate-orm/compare/3.6.9.Final...5.3.20\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `junit:junit` from 4.11 to 4.13.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/junit-team/junit4/releases\"\u003ejunit:junit's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eJUnit 4.13.1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.13.1.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.13.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 RC 2\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 RC 1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 3\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 2\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.13 Beta 1\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit4/wiki/4.13-Release-Notes\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.12.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 3\u003c/h2\u003e\n\u003cp\u003ePlease refer to the \u003ca href=\"https://github.com/junit-team/junit/blob/HEAD/doc/ReleaseNotes4.12.md\"\u003erelease notes\u003c/a\u003e for details.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 2\u003c/h2\u003e\n\u003cp\u003eNo release notes provided.\u003c/p\u003e\n\u003ch2\u003eJUnit 4.12 Beta 1\u003c/h2\u003e\n\u003cp\u003eNo release notes provided.\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/1b683f4ec07bcfa40149f086d32240f805487e66\"\u003e\u003ccode\u003e1b683f4\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release r4.13.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/ce6ce3aadc070db2902698fe0d3dc6729cd631f2\"\u003e\u003ccode\u003ece6ce3a\u003c/code\u003e\u003c/a\u003e Draft 4.13.1 release notes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/c29dd8239d6b353e699397eb090a1fd27411fa24\"\u003e\u003ccode\u003ec29dd82\u003c/code\u003e\u003c/a\u003e Change version to 4.13.1-SNAPSHOT\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/1d174861f0b64f97ab0722bb324a760bfb02f567\"\u003e\u003ccode\u003e1d17486\u003c/code\u003e\u003c/a\u003e Add a link to assertThrows in exception testing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/543905df72ff10364b94dda27552efebf3dd04e9\"\u003e\u003ccode\u003e543905d\u003c/code\u003e\u003c/a\u003e Use separate line for annotation in Javadoc\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/510e906b391e7e46a346e1c852416dc7be934944\"\u003e\u003ccode\u003e510e906\u003c/code\u003e\u003c/a\u003e Add sub headlines to class Javadoc\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae\"\u003e\u003ccode\u003e610155b\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-269g-pwp5-87pp\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/b6cfd1e3d736cc2106242a8be799615b472c7fec\"\u003e\u003ccode\u003eb6cfd1e\u003c/code\u003e\u003c/a\u003e Explicitly wrap float parameter for consistency (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1671\"\u003e#1671\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/a5d205c7956dbed302b3bb5ecde5ba4299f0b646\"\u003e\u003ccode\u003ea5d205c\u003c/code\u003e\u003c/a\u003e Fix GitHub link in FAQ (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1672\"\u003e#1672\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/junit-team/junit4/commit/3a5c6b4d08f408c8ca6a8e0bae71a9bc5a8f97e8\"\u003e\u003ccode\u003e3a5c6b4\u003c/code\u003e\u003c/a\u003e Deprecated since jdk9 replacing constructor instance of Double and Float (\u003ca href=\"https://redirect.github.com/junit-team/junit4/issues/1660\"\u003e#1660\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/junit-team/junit4/compare/r4.11...r4.13.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Excecrable/javamelody/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Excecrable/javamelody/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Excecrable%2Fjavamelody/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"}},{"old_version":"1.4.7","new_version":"1.4.21","update_type":"patch","path":"/contrib/ambari-scom/ambari-scom-server","pr_created_at":"2025-11-27T09:48:22.000Z","version_change":"1.4.7 → 1.4.21","issue":{"uuid":"3670653005","node_id":"PR_kwDOPTFAcs610E2k","number":22,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.7 to 1.4.21 in /contrib/ambari-scom/ambari-scom-server","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-27T09:49:12.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-27T09:48:22.000Z","updated_at":"2025-11-27T09:49:20.000Z","time_to_close":50,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.7","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/contrib/ambari-scom/ambari-scom-server","ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.7 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.7\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/AndresMaqueo/ambari/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/AndresMaqueo/ambari/pull/22","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/AndresMaqueo%2Fambari/issues/22","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/22/packages"}},{"old_version":"1.4.10","new_version":"1.4.21","update_type":"patch","path":"/services/user-service in the maven group across 1 directory","pr_created_at":"2025-11-26T18:19:49.000Z","version_change":"1.4.10 → 1.4.21","issue":{"uuid":"3668595467","node_id":"PR_kwDOP7u-Ac61tQqe","number":1,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.10 to 1.4.21 in /services/user-service in the maven group across 1 directory","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-26T18:25:46.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-26T18:19:49.000Z","updated_at":"2025-11-26T18:25:48.000Z","time_to_close":357,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/services/user-service in the maven group across 1 directory","ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /services/user-service directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.10\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/og-dmacinnes/vulnshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/og-dmacinnes/vulnshop/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/og-dmacinnes%2Fvulnshop/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-11-24T19:54:42.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"3660320965","node_id":"PR_kwDOQcN32M61Rlic","number":4,"state":"closed","title":"Bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-11-26T18:36:34.000Z","author_association":null,"state_reason":null,"created_at":"2025-11-24T19:54:42.000Z","updated_at":"2025-11-26T18:36:36.000Z","time_to_close":168112,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/testOnboarding-Jie/WebGoat/pull/4","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/testOnboarding-Jie%2FWebGoat/issues/4","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/4/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-10-07T12:39:03.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2893847241","node_id":"PR_kwDOP93AT86sfJrJ","number":5,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-07T12:39:03.000Z","updated_at":"2025-10-07T12:39:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/sig-chakrava/webgoat_source/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/sig-chakrava%2Fwebgoat_source/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"}},{"old_version":"1.4.17","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-10-06T09:03:44.000Z","version_change":"1.4.17 → 1.4.21","issue":{"uuid":"2889359830","node_id":"PR_kwDOC1evIc6sOCHW","number":40,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.17 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-06T09:03:44.000Z","updated_at":"2025-10-06T09:03:45.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.17","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.17 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.17\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/marcomarasca/Synapse-Repository-Services/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/marcomarasca/Synapse-Repository-Services/pull/40","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/marcomarasca%2FSynapse-Repository-Services/issues/40","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/40/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-10-06T05:56:42.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2888900879","node_id":"PR_kwDOPn-U5M6sMSEP","number":17,"state":"open","title":"chore: bump the maven group across 1 directory with 2 updates","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-06T05:56:42.000Z","updated_at":"2025-10-06T05:56:43.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore: bump","group_name":"maven","update_count":2,"packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"},{"name":"org.bitbucket.b_c:jose4j","old_version":"0.9.3","new_version":"0.9.4"}],"path":null,"ecosystem":"maven"},"body":"Bumps the maven group with 2 updates in the / directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) and [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.5 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `org.bitbucket.b_c:jose4j` from 0.9.3 to 0.9.4\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1ec20f8716436857a3929f60e644d4de1e40bfd9\"\u003e\u003ccode\u003e1ec20f8\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare for next development iteration\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/e4da603d8ebd40f4f2080e24c9b906b9e3f31fc5\"\u003e\u003ccode\u003ee4da603\u003c/code\u003e\u003c/a\u003e Update slf4j-api to 1.7.36 to avoid CVE-2018-8088\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/b5720a2fde3fc0a1937737ead27863b404f0f458\"\u003e\u003ccode\u003eb5720a2\u003c/code\u003e\u003c/a\u003e Merged in master (pull request \u003ca href=\"https://bitbucket.org/b_c/jose4j/issues/25\"\u003e#25\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/72739aeeadb468db72d7944a6d8c3c2593dd2a9c\"\u003e\u003ccode\u003e72739ae\u003c/code\u003e\u003c/a\u003e fix spelling\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b31cd4461fd56750c499c139ca39f0\"\u003e\u003ccode\u003e1afaa1e\u003c/code\u003e\u003c/a\u003e Add the PBES2 algorithms to JWE's default blocked AlgorithmConstraints and pu...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://bitbucket.org/b_c/jose4j/commits/055225eae37ff00b9636376de292bd5848219a31\"\u003e\u003ccode\u003e055225e\u003c/code\u003e\u003c/a\u003e [maven-release-plugin] prepare release jose4j-0.9.4\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://bitbucket.org/b_c/jose4j/branches/compare/jose4j-0.9.4..jose4j-0.9.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kalinowskiremi/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/kalinowskiremi/WebGoat/pull/17","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalinowskiremi%2FWebGoat/issues/17","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/17/packages"}},{"old_version":"1.4.10","new_version":"1.4.21","update_type":"patch","path":"/redhat/training/pam/project in the maven group across 1 directory","pr_created_at":"2025-10-02T21:33:40.000Z","version_change":"1.4.10 → 1.4.21","issue":{"uuid":"2883121571","node_id":"PR_kwDONDf1os6r2PGj","number":1,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.10 to 1.4.21 in /redhat/training/pam/project in the maven group across 1 directory","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-10-02T21:33:40.000Z","updated_at":"2025-10-02T21:33:41.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.10","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":"/redhat/training/pam/project in the maven group across 1 directory","ecosystem":"maven"},"body":"Bumps the maven group with 1 update in the /redhat/training/pam/project directory: [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream).\n\nUpdates `com.thoughtworks.xstream:xstream` from 1.4.10 to 1.4.21\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.10\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)\n- `@dependabot unignore \u003cdependency name\u003e` will remove all of the ignore conditions of the specified dependency\n- `@dependabot unignore \u003cdependency name\u003e \u003cignore condition\u003e` will remove the ignore condition of the specified dependency and ignore conditions\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/offsoc/docker_env/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/offsoc/docker_env/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/offsoc%2Fdocker_env/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"}},{"old_version":"1.4.19","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-10-01T09:45:30.000Z","version_change":"1.4.19 → 1.4.21","issue":{"uuid":"2877574895","node_id":"PR_kwDOAz8e_M6rhE7v","number":258,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.19 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-10-01T09:45:30.000Z","updated_at":"2025-10-01T09:45:31.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.19","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.19\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hazelcast/hazelcast-eureka/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/hazelcast/hazelcast-eureka/pull/258","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/hazelcast%2Fhazelcast-eureka/issues/258","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/258/packages"}},{"old_version":"1.4.19","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-29T06:37:27.000Z","version_change":"1.4.19 → 1.4.21","issue":{"uuid":"2869250465","node_id":"PR_kwDOFKHe-c6rBUmh","number":62,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.19 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-29T06:37:27.000Z","updated_at":"2025-09-29T06:37:28.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.19","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=gradle\u0026previous-version=1.4.19\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/piacenti/dsl-maker/pull/62","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/piacenti%2Fdsl-maker/issues/62","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/62/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-28T11:10:51.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2867609985","node_id":"PR_kwDOPn-U5M6q7EGB","number":13,"state":"closed","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-10-06T05:56:44.000Z","author_association":"NONE","state_reason":null,"created_at":"2025-09-28T11:10:51.000Z","updated_at":"2025-10-06T05:56:44.000Z","time_to_close":672353,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/kalinowskiremi/WebGoat/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/kalinowskiremi/WebGoat/pull/13","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalinowskiremi%2FWebGoat/issues/13","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/13/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:53:03.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866645921","node_id":"PR_kwDOP4BEYs6q3Yuh","number":5,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:53:03.000Z","updated_at":"2025-09-27T15:53:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/amills4421/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/amills4421/webgoat-security-workshop/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/amills4421%2Fwebgoat-security-workshop/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:51:28.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866644180","node_id":"PR_kwDOP4AvQ86q3YTU","number":6,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:51:28.000Z","updated_at":"2025-09-27T15:51:29.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/HenryWu7175/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/HenryWu7175/webgoat-security-workshop/pull/6","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/HenryWu7175%2Fwebgoat-security-workshop/issues/6","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/6/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:50:03.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866643354","node_id":"PR_kwDOP4AyLc6q3YGa","number":8,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:50:03.000Z","updated_at":"2025-09-27T15:50:04.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/IsabellaSlome/webgoat-security-workshop/pull/8","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/IsabellaSlome%2Fwebgoat-security-workshop/issues/8","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/8/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:49:34.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866643080","node_id":"PR_kwDOP4Av9c6q3YCI","number":10,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:49:34.000Z","updated_at":"2025-09-27T15:49:34.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Felix-Hardjana/sast-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Felix-Hardjana/sast-workshop/pull/10","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Felix-Hardjana%2Fsast-workshop/issues/10","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/10/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:49:09.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866642801","node_id":"PR_kwDOP4A5vc6q3X9x","number":5,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-09-27T15:49:09.000Z","updated_at":"2025-09-27T15:49:10.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/MigiIsRight/WebGoat/pull/5","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/MigiIsRight%2FWebGoat/issues/5","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/5/packages"}},{"old_version":"1.4.5","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-27T15:36:12.000Z","version_change":"1.4.5 → 1.4.21","issue":{"uuid":"2866633890","node_id":"PR_kwDOP4A9b86q3Vyi","number":4,"state":"open","title":"chore: bump com.thoughtworks.xstream:xstream from 1.4.5 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-27T15:36:12.000Z","updated_at":"2025-09-27T15:36:13.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.5","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.5 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=maven\u0026previous-version=1.4.5\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/Mythicalhoppa/webgoat-security-workshop/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/Mythicalhoppa/webgoat-security-workshop/pull/4","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mythicalhoppa%2Fwebgoat-security-workshop/issues/4","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/4/packages"}},{"old_version":"1.4.18","new_version":"1.4.21","update_type":"patch","path":null,"pr_created_at":"2025-09-22T20:01:45.000Z","version_change":"1.4.18 → 1.4.21","issue":{"uuid":"3442557768","node_id":"PR_kwDOGh5jPc6p7e8_","number":241,"state":"open","title":"Bump com.thoughtworks.xstream:xstream from 1.4.18 to 1.4.21","user":"dependabot[bot]","labels":["dependencies","java","Stale"],"assignees":[],"locked":false,"comments_count":3,"pull_request":true,"closed_at":null,"author_association":null,"state_reason":null,"created_at":"2025-09-22T20:01:45.000Z","updated_at":"2025-12-26T03:01:15.893Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"com.thoughtworks.xstream:xstream","old_version":"1.4.18","new_version":"1.4.21","repository_url":"https://github.com/x-stream/xstream"}],"path":null,"ecosystem":"maven"},"body":"Bumps [com.thoughtworks.xstream:xstream](https://github.com/x-stream/xstream) from 1.4.18 to 1.4.21.\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/x-stream/xstream/commits\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=com.thoughtworks.xstream:xstream\u0026package-manager=gradle\u0026previous-version=1.4.18\u0026new-version=1.4.21)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/thinking-github/conductor/pull/241","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinking-github%2Fconductor/issues/241","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/241/packages"}}]}