Merge pull request #46 from Basic-Data-Infrastructure/update-for-cve-2025-67735

remvee · web-flow · commit a57553401d95 · 2026-01-09T10:38:55.000+01:00
Update for CVE 2025 67735
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         with:
           path: "~/.m2"
           key: "prep-deps-${{ hashFiles('deps.edn') }}"
@@ -71,7 +71,7 @@ jobs:
         service: [association-register, authorization-register, authentication-service, connector]
     steps:
       - uses: actions/checkout@v6
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         with:
           path: "~/.m2"
           key: "prep-deps${{ hashFiles('deps.edn') }}"
@@ -131,7 +131,7 @@ jobs:
         lib: [clj-ishare-jwt, clj-ishare-client, clj-authentication, clj-ring-middleware]
     steps:
       - uses: actions/checkout@v6
-      - uses: actions/cache@v4
+      - uses: actions/cache@v5
         with:
           path: "~/.m2"
           key: "prep-deps${{ hashFiles('deps.edn') }}"
diff --git a/.github/workflows/dependency-vulnerabilities.yml b/.github/workflows/dependency-vulnerabilities.yml
@@ -24,7 +24,7 @@ jobs:
       run: echo "date=$(date '+%Y-%m-%d')" >> $GITHUB_OUTPUT
 
     - uses: actions/checkout@v6
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       with:
         path: "~/.m2"
         # store as today's cache
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -32,7 +32,7 @@ jobs:
     steps:
     - uses: actions/checkout@v6
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@v5
       with:
         path: "~/.m2"
         key: "deps-${{ hashFiles('deps.edn') }}"
diff --git a/association-register/deps.edn b/association-register/deps.edn
@@ -15,10 +15,10 @@
          ring/ring-json                     {:mvn/version "0.5.1"}
          ring/ring-jetty-adapter            {:mvn/version "1.15.3"}
          compojure/compojure                {:mvn/version "1.7.2"}
-         ch.qos.logback/logback-classic     {:mvn/version "1.5.21"}
+         ch.qos.logback/logback-classic     {:mvn/version "1.5.24"}
          nl.jomco/clj-http-status-codes     {:mvn/version "0.2"}
-         org.clojure/core.cache             {:mvn/version "1.1.234"}
-         org.clojure/tools.logging          {:mvn/version "1.3.0"}
+         org.clojure/core.cache             {:mvn/version "1.2.249"}
+         org.clojure/tools.logging          {:mvn/version "1.3.1"}
          nl.jomco/envopts                   {:mvn/version "0.0.7"}}
  :paths ["src" "resources"]
  :aliases
diff --git a/authentication-service/deps.edn b/authentication-service/deps.edn
@@ -8,7 +8,7 @@
 {:deps  {org.bdinetwork/clj-authentication  {:local/root "../clj-authentication"}
          org.bdinetwork/clj-ring-middleware {:local/root "../clj-ring-middleware"}
          org.bdinetwork/service-commons     {:local/root "../service-commons"}
-         ch.qos.logback/logback-classic     {:mvn/version "1.5.21"}
+         ch.qos.logback/logback-classic     {:mvn/version "1.5.24"}
          nl.jomco/with-resources            {:mvn/version "0.1.2"}
          nl.jomco/openapi-v3-validator      {:mvn/version "0.2.6"}
          clj-commons/clj-yaml               {:mvn/version "1.0.29"}
@@ -17,8 +17,8 @@
          ring/ring-jetty-adapter            {:mvn/version "1.15.3"}
          compojure/compojure                {:mvn/version "1.7.2"}
          nl.jomco/clj-http-status-codes     {:mvn/version "0.2"}
-         org.clojure/core.cache             {:mvn/version "1.1.234"}
-         org.clojure/tools.logging          {:mvn/version "1.3.0"}
+         org.clojure/core.cache             {:mvn/version "1.2.249"}
+         org.clojure/tools.logging          {:mvn/version "1.3.1"}
          nl.jomco/envopts                   {:mvn/version "0.0.7"}}
  :paths ["src" "resources"]
 
diff --git a/authorization-register/deps.edn b/authorization-register/deps.edn
@@ -5,9 +5,9 @@
 ;;;
 ;;; SPDX-License-Identifier: AGPL-3.0-or-later
 
-{:deps {ch.qos.logback/logback-classic     {:mvn/version "1.5.21"}
+{:deps {ch.qos.logback/logback-classic     {:mvn/version "1.5.24"}
         clj-commons/clj-yaml               {:mvn/version "1.0.29"}
-        com.github.seancorfield/next.jdbc  {:mvn/version "1.3.1070"}
+        com.github.seancorfield/next.jdbc  {:mvn/version "1.3.1086"}
         compojure/compojure                {:mvn/version "1.7.2"}
         datascript/datascript              {:mvn/version "1.7.8"}
         migratus/migratus                  {:mvn/version "1.6.4"}
@@ -17,8 +17,8 @@
         nl.jomco/with-resources            {:mvn/version "0.1.2"}
         org.bdinetwork/clj-ring-middleware {:local/root "../clj-ring-middleware"}
         org.bdinetwork/service-commons     {:local/root "../service-commons"}
-        org.clojure/core.cache             {:mvn/version "1.1.234"}
-        org.clojure/tools.logging          {:mvn/version "1.3.0"}
+        org.clojure/core.cache             {:mvn/version "1.2.249"}
+        org.clojure/tools.logging          {:mvn/version "1.3.1"}
         org.postgresql/postgresql          {:mvn/version "42.7.8"}
         ring/ring-core                     {:mvn/version "1.15.3"}
         ring/ring-jetty-adapter            {:mvn/version "1.15.3"}
diff --git a/clj-authentication/deps.edn b/clj-authentication/deps.edn
@@ -4,7 +4,7 @@
 ;;; SPDX-License-Identifier: AGPL-3.0-or-later
 
 {:deps  {org.bdinetwork/clj-ishare-client {:local/root "../clj-ishare-client"}
-         org.clojure/core.cache           {:mvn/version "1.1.234"}
+         org.clojure/core.cache           {:mvn/version "1.2.249"}
          clj-commons/clj-yaml             {:mvn/version "1.0.29"}
          nl.jomco/openapi-v3-validator    {:mvn/version "0.2.6"}}
  :paths ["src" "resources"]}
diff --git a/clj-ishare-client/deps.edn b/clj-ishare-client/deps.edn
@@ -8,8 +8,8 @@
 {:deps  {org.bdinetwork/clj-ishare-jwt {:local/root "../clj-ishare-jwt"}
          org.babashka/http-client      {:mvn/version "0.4.23"}
          org.babashka/json             {:mvn/version "0.1.6"}
-         org.clojure/tools.logging     {:mvn/version "1.3.0"}
-         org.clojure/core.memoize      {:mvn/version "1.1.266"}}
+         org.clojure/tools.logging     {:mvn/version "1.3.1"}
+         org.clojure/core.memoize      {:mvn/version "1.2.273"}}
  :paths ["src"]
 
  :aliases
diff --git a/clj-ring-middleware/deps.edn b/clj-ring-middleware/deps.edn
@@ -7,6 +7,6 @@
 
 {:deps  {org.bdinetwork/clj-authentication {:local/root "../clj-authentication"}
          nl.jomco/clj-http-status-codes    {:mvn/version "0.2"}
-         org.clojure/tools.logging         {:mvn/version "1.3.0"}
+         org.clojure/tools.logging         {:mvn/version "1.3.1"}
          org.slf4j/slf4j-api               {:mvn/version "2.0.17"}}
  :paths ["src"]}
diff --git a/connector/deps.edn b/connector/deps.edn
@@ -7,14 +7,14 @@
         ;; drip responses
         org.clojure/core.async {:mvn/version "1.8.741"}
 
-        org.clojure/tools.logging      {:mvn/version "1.3.0"}
-        ch.qos.logback/logback-classic {:mvn/version "1.5.21"}
+        org.clojure/tools.logging      {:mvn/version "1.3.1"}
+        ch.qos.logback/logback-classic {:mvn/version "1.5.24"}
 
-        aleph/aleph                    {:mvn/version "0.9.3"}
         nl.jomco/clj-http-status-codes {:mvn/version "0.2"}
         nl.jomco/passage               {:git/url "https://codeberg.org/jomco/passage.git"
-                                        :git/sha "0c2f080d46be86c94a9a005725663bfba13661e1"}
-        org.clojure/data.json          {:mvn/version "2.5.1"}
+                                        :git/sha "0d291ae5386d03e1b6a9a900b98e0183dfadeea9"}
+        manifold/manifold              {:mvn/version "0.5.0"}
+        org.clojure/data.json          {:mvn/version "2.5.2"}
         ring/ring-core                 {:mvn/version "1.15.3"}
         ring/ring-json                 {:mvn/version "0.5.1"}
         hiccup/hiccup                  {:mvn/version "2.0.0"}
@@ -32,6 +32,6 @@
   :run     {:main-opts ["-m" "org.bdinetwork.connector.main"]}
 
   :print-interceptors {:replace-paths ["src"] ;; prevent log messages
-                       :exec-fn   passage.interceptors/print-docs
-                       :exec-args {:extra-namespaces [org.bdinetwork.connector.interceptors]
-                                   :ns-alias         {bdi org.bdinetwork.connector.interceptors}}}}}
+                       :exec-fn       passage.interceptors/print-docs
+                       :exec-args     {:extra-namespaces [org.bdinetwork.connector.interceptors]
+                                       :ns-alias         {bdi org.bdinetwork.connector.interceptors}}}}}
diff --git a/connector/test/org/bdinetwork/connector/interceptors_test.clj b/connector/test/org/bdinetwork/connector/interceptors_test.clj
@@ -3,7 +3,7 @@
 ;;; SPDX-License-Identifier: AGPL-3.0-or-later
 
 (ns org.bdinetwork.connector.interceptors-test
-  (:require [aleph.http :as http]
+  (:require [babashka.http-client :as http]
             [buddy.core.keys :as keys]
             [clojure.data.json :as json]
             [clojure.java.io :as io]
@@ -206,9 +206,8 @@
                              :aud "audience"
                              :sub "test-subject"})
             {:keys [status body]}
-            @(http/get proxy-url
-                       {:throw-exceptions? false
-                        :headers           {"authorization" (str "Bearer " token)}})]
+            (http/get proxy-url
+                      {:throw-exceptions? false
+                       :headers           {"authorization" (str "Bearer " token)}})]
         (is (= http-status/ok status))
-        (is (= "pass"
-               (slurp body)))))))
+        (is (= "pass" body))))))
diff --git a/deps.edn b/deps.edn
@@ -34,7 +34,7 @@
 
                       ;; connector tests
                       ring/ring {:mvn/version "1.15.3"}}
-         :main-opts ["-m" "kaocha.runner"]
+         :main-opts   ["-m" "kaocha.runner"]
          :extra-paths ["test-helpers"
                        "test-resources"
                        "clj-ishare-jwt/test"
@@ -48,7 +48,7 @@
   :lint {:extra-deps {clj-kondo/clj-kondo {:mvn/version "RELEASE"}}
          :main-opts  ["-m" "clj-kondo.main"]}
 
-  :build {:deps       {io.github.clojure/tools.build {:mvn/version "0.10.11"}
+  :build {:deps       {io.github.clojure/tools.build {:mvn/version "0.10.12"}
                        slipset/deps-deploy           {:mvn/version "RELEASE"}}
           :ns-default build-lib}
 
