Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump AHC to 3.0.1 #243

Open
wants to merge 2 commits into
base: 2.0.x
Choose a base branch
from
Open

Bump AHC to 3.0.1 #243

wants to merge 2 commits into from

Conversation

AshCorr
Copy link

@AshCorr AshCorr commented Jan 15, 2025
edited
Loading

AHC 3.0.1 has a Critical CVE which is causing downstream consumers of dispatch to get vulnerability alerts.

Included in 3.0.1 are a few dependency upgrades in addition to the fix for the CVE. AHC considers 3.0.1 as breaking release as they've added a new method to the abstract RequestBuilderBase class.

Worth noting that the behaviour of the default client has changed slightly in order to fix the CVE. Previously cookies found in the cookie jar would replace cookies in the RequestBuilder, this is no longer the case.

Not quite sure about the branch layout of this repo! Should this change go to the 2.0.x branch?

@AshCorr AshCorr changed the base branch from main to 2.0.x January 15, 2025 16:45
@AshCorr AshCorr marked this pull request as draft January 15, 2025 16:48
AshCorr
AshCorr commented Jan 15, 2025
View reviewed changes
core/src/main/scala/requests.scala
Comment on lines +487 to +493
/**
* Add a cookie based on its name, if it does not exist yet. Cookies that
* are already set will be ignored.
*/
def addCookieIfUnset(cookie: Cookie) = {
subject.underlying(_.addCookieIfUnset(cookie))
}
Copy link
Author

@AshCorr AshCorr Jan 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Introduced as part of the CVE fix: https://github.com/AsyncHttpClient/async-http-client/pull/2033/files#diff-b93b188fc1eb54ff862ad616314205285d5877c656e4a5fb3d9f6650c0a0587eR336-R338

@AshCorr AshCorr marked this pull request as ready for review January 15, 2025 17:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AshCorr