chore(deps): bump artemis-jakarta 2.42.0 → 2.54.0 and migrate groupId to org.apache.artemis#24101
Open
stian-sandvold wants to merge 1 commit into
Open
chore(deps): bump artemis-jakarta 2.42.0 → 2.54.0 and migrate groupId to org.apache.artemis#24101stian-sandvold wants to merge 1 commit into
stian-sandvold wants to merge 1 commit into
Conversation
… to org.apache.artemis Ports the fix from #24049 (2.42) to 2.43. Bumps artemis-jakarta.version and migrates the Maven groupId org.apache.activemq → org.apache.artemis (relocated as of Artemis 2.50.0, Apache TLP migration). Fixes CRITICAL CVE-2026-27446 (missing-auth Core federation; affects 2.11.0–2.44.0, fixed 2.52.0). Netty stays aligned at 4.2.13.Final via the netty-bom import (#24048).
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
artemis-jakarta.versionfrom 2.42.0 → 2.54.0 and migrates the Artemis Maven groupId fromorg.apache.activemqtoorg.apache.artemis.This ports the same fix already merged on the
2.42branch (#24049) to the2.43branch. There is no open Dependabot Artemis PR on this branch; the bump and the groupId move are coupled (the new groupId only exists for Artemis ≥ 2.50), so they are done together here.Why the groupId change is needed
Apache Artemis became its own Apache top-level project and migrated its Maven coordinates from
org.apache.activemqtoorg.apache.artemisstarting in 2.50.0. The old coordinates are still published, but only as relocation stubs that point at the new ones.The consequence: with just a version bump, we still declare
org.apache.activemq:*while Maven resolves the relocatedorg.apache.artemis:*artifacts.dependency:analyzethen fails thedhis-support-artemismodule — it sees the new coordinates as "used but undeclared" and the old ones as "unused declared", and the existing analyze ignore entries (pinned to the old groupId) no longer match.This PR updates the groupId at every declaration and in the three analyze ignore entries, which is the change the upstream migration asks consumers to make. Artemis keeps full package & code compatibility across the move, so there are no Java/API changes — only Maven coordinates.
Security
This upgrade also fixes CVE-2026-27446 (CWE-306, missing authentication for a critical function — CVSS 9.8). An unauthenticated client using the Core protocol could force the broker to open an outbound federation connection to a rogue broker, enabling message injection/exfiltration. It affects Artemis 2.11.0–2.44.0 and is fixed in 2.52.0. Exposure here is limited because the broker is embedded, but the fix is worth having.
Netty alignment
This branch carries the
netty-bomimport (added in 24048), so the larger Netty tree pulled in by Artemis ≥ 2.50 stays aligned at 4.2.13.Final — no class-skew.Notes on 2.54.0 release changes
The breaking items in the 2.50→2.54 notes do not apply to our embedded usage: Docker image path change, deprecated (non-functional) HTTP transport params, deprecated
addSecuritySettingsmanagement methods, and defaultbroker.xmlsecurity-setting clarifications.Testing
dependency:analyzeondhis-support-artemispasses (the failure a version-only bump hits).org.apache.artemis:*:2.54.0and all Netty artifacts stay aligned at 4.2.13.Final.🤖 Generated with Claude Code