fix(deps): update dependency net.dv8tion:jda to v6.1.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
net.dv8tion:JDA	6.0.0-rc.5 → 6.1.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

JDA (Java Discord API) downloads external URLs when updating message components

GHSA-93fv-4pm9-xp28

More information

Details

Impact

Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request.

If you are used Message#getComponents or similar to get a list of components and then send those components with sendMessageComponents or other methods, you might unintentionally download media from an external URL in the resolved media of a Thumbnail, FileDisplay, or MediaGallery.

Patches

This bug has been fixed in 6.1.3, and we recommend updating.

Workarounds

Avoid sending components from untrusted messages or update to version 6.1.3.

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

References

• https://github.com/discord-jda/JDA/security/advisories/GHSA-93fv-4pm9-xp28
• https://github.com/discord-jda/JDA/commit/bb6d2ce5cf514429327c257f5c6fa95a137e3ab6
• https://github.com/advisories/GHSA-93fv-4pm9-xp28

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

discord-jda/JDA (net.dv8tion:JDA)

v6.1.3

Compare Source

Bug Fixes

• Avoid downloading external URLs for component updates by @​MinnDevelopment in #​2971

Full Changelog: discord-jda/JDA@v6.1.2...v6.1.3

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.1.3")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.1.3</version> 
</dependency>

v6.1.2

Compare Source

Bug Fixes

• Fix voice state in events when joining channel by @​MinnDevelopment in #​2959

Full Changelog: discord-jda/JDA@v6.1.1...v6.1.2

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.1.2")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.1.2</version> 
</dependency>

v6.1.1

Compare Source

New Features

• Implement Reading/Writing System Channel Flags by @​LaFriska in #​2928

Bug Fixes

• Fix ModalMapping::getAsAttachmentList if no attachments were submitted by @​archer-321 in #​2941
• Remove internal class call and replace with local version by @​mikomikotaishi in #​2944
• Fix emtpy edit message builders by @​MinnDevelopment in #​2953
• Add check for valid interface types on ChannelCacheView#ofType by @​MinnDevelopment in #​2955

Full Changelog: discord-jda/JDA@v6.1.0...v6.1.1

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.1.1")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.1.1</version> 
</dependency>

v6.1.0: | Modal File Uploads

Overview

This release primarily adds support for file uploads in modals.

Creating a Modal accepting file uploads

Modal.create("modal-id", "Banner Update")
  .addComponents(Label.of("Banner Image", AttachmentUpload.of("banner-file")))
  .build()

Using the uploaded file

@​Override
public void onModalInteraction(@​NotNull ModalInteractionEvent event) {
    event.reply("The banner is being updated.").setEphemeral(true).queue();
    
    Message.Attachment attachment = event.getValue("cat-img").getAsAttachmentList().get(0);
    attachment.getProxy()
        .downloadAsIcon()
        .thenCompose(icon -> event.getGuild().getSelfMember().getManager().setBanner(icon).submit())
        .exceptionally(e -> {
            RestAction.getDefaultFailure().accept(e);
            return null;
        });
}

New Features

• Add modal file uploads by @​freya022 in #​2920
• Support modifying avatar, banner and bio of current member by @​freya022 in #​2915
• Add missing Invite.Guild fields by @​freya022 in #​2914

Full Changelog: discord-jda/JDA@v6.0.0...v6.1.0

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.1.0")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.1.0</version> 
</dependency>

v6.0.0: | New Component API

Compare Source

Overview

This is the stable release of JDA 6.0.0. To avoid repeating the same information again, please look at the release notes of the release candidates for detailed explanations of the breaking changes and new features.

Release Candidates

1. v6.0.0-rc.1 New Components
2. v6.0.0-rc.2 New Pin Pagination API
3. v6.0.0-rc.3 New pin permissions and removal of bot owned guilds
4. v6.0.0-rc.4 Change to Modals
5. v6.0.0-rc.5 Modal Components and Serialization

Migrating to 6.0.0

To help ease the upgrade to JDA 6.0.0, we've provided an OpenRewrite recipe that can automatically refactor parts of your codebase. This will update imports and replace a few method calls with their new equivalents in JDA 6.0.0.

However, not all breaking changes can be handled automatically — for example, code that relied on the mutability of ActionRow will require manual adjustments.

You will also have to update your code for creating Modal instances. Instead of using ActionRow, modals now make use of the Label component. Read the release notes for v6.0.0-rc.4 to learn more.

The OpenRewrite Recipe

Before applying the recipe, make sure you’re using version control (e.g., Git) or back up your project manually. You’ll also need to be using Gradle or Maven to apply the migration.

Gradle

We are using the OpenRewrite Gradle Plugin. Before changing your JDA version in gradle, you can add the rewrite plugin and use the recipe to migrate your code:

plugins {
    id("org.openrewrite.rewrite") version "7.11.0"
}

repositories {
    mavenCentral()
}

dependencies {
    // Your current JDA version before upgrading to 6.0.0
    implementation("net.dv8tion:JDA:5.+")

    rewrite("net.dv8tion:JDA:6.0.0")
    rewrite("org.openrewrite.recipe:rewrite-java-dependencies:1.37.0")
}

rewrite {
    activeRecipe("net.dv8tion.MigrateComponentsV2")
}

Once you configured this plugin, you can use the rewriteDryRun task to generate a git patch in build/reports/rewrite/rewrite.patch to see what the plugin will do with your source code. To apply the changes, either use this patch or use rewriteRun.

After migrating your code, you can then update your JDA version (if the rewrite hasn't done it already) and remove the plugin again.

Maven

We are using the OpenRewrite Maven Plugin. Before changing your JDA version in your pom, you can add the rewrite plugin and use the recipe to migrate your code:

<plugin>
  <groupId>org.openrewrite.maven</groupId>
  <artifactId>rewrite-maven-plugin</artifactId>
  <version>6.13.0</version>
  <configuration>
    <activeRecipes>
      <recipe>net.dv8tion.MigrateComponentsV2</recipe>
    </activeRecipes>
  </configuration>
  <dependencies>
    <dependency>
      <groupId>org.openrewrite.recipe</groupId>
      <artifactId>rewrite-java-dependencies</artifactId>
      <version>1.37.0</version>
    </dependency>
    <dependency>
      <groupId>net.dv8tion</groupId>
      <artifactId>JDA</artifactId>
      <version>6.0.0</version>
    </dependency>
  </dependencies>
</plugin>

Once you configured this plugin, you can use the rewrite:dryRun task to generate a git patch in target/site/rewrite/rewrite.patch to see what the plugin will do with your source code. To apply the changes, either use this patch or use rewrite:run.

After migrating your code, you can then update your JDA version (if the rewrite hasn't done it already) and remove the plugin again.

New Features

• Add support for components V2 by @​freya022 in #​2809
• Add new pinned message pagination by @​MinnDevelopment in #​2874
• Add message pin permission by @​freya022 in #​2895
• Add support for user primary guilds by @​mjezek-dev in #​2863
• Add common interface for interactions with a custom ID by @​Kaktushose in #​2778
• Add support for Label and StringSelectMenu in Modals by @​Xirado in #​2162
• Add ComponentSerializer and ComponentDeserializer by @​MinnDevelopment in #​2906
• Add TextInput#of shortcut by @​MinnDevelopment in #​2908
• Add entity selects and text displays in modals by @​freya022 in #​2913

Changes

• Remove deprecated features by @​MinnDevelopment in #​2867
• Make JDA#getMutualGuilds accept UserSnowflake instead of User objects by @​MineKing9534 in #​2877
• Move modal classes out of the interactions package by @​freya022 in #​2890
• Use new routes to (un)pin messages by @​freya022 in #​2896
• Remove bot owned guild endpoints by @​freya022 in #​2888

Bug Fixes

• Remove port stripping in VoiceServerUpdateHandler by @​MinnDevelopment in #​2884
• Use DELETE_GUILD route according to the Discord Docs by @​kiLeo13 in #​2875
• Handle forum channels with missing available_tags field by @​MinnDevelopment in #​2902
• Remove unnecessary escaping while creating a masked link by @​Alf-Melmac in #​2910

Full Changelog: discord-jda/JDA@v5.6.1...v6.0.0

Installation

Gradle

repositories {
    mavenCentral()
}
dependencies {
    implementation("net.dv8tion:JDA:6.0.0")
}

Maven

<dependency>
    <groupId>net.dv8tion</groupId>
    <artifactId>JDA</artifactId>
    <version>6.0.0</version> 
</dependency>

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.