Skip to content

Fixing Swagger 2.1.36 CVE#1045

Merged
ricardozanini merged 1 commit intoserverlessworkflow:mainfrom
ricardozanini:fix-cves
Dec 11, 2025
Merged

Fixing Swagger 2.1.36 CVE#1045
ricardozanini merged 1 commit intoserverlessworkflow:mainfrom
ricardozanini:fix-cves

Conversation

@ricardozanini
Copy link
Member

@ricardozanini ricardozanini commented Dec 11, 2025

A few libraries from Swagger has CVEs and the upstream project has not upgraded yet. Once they do, we can remove the forced deps.

@ricardozanini
Fixing Swagger 2.1.36 CVE
c5e6509 
Signed-off-by: Ricardo Zanini <ricardozanini@gmail.com>
fjtirado
fjtirado approved these changes Dec 11, 2025
View reviewed changes
Copy link
Collaborator

@fjtirado fjtirado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I now wondering if we should use swagger to parse the open api file at all (rhino?)

@ricardozanini
Copy link
Member Author

ricardozanini commented Dec 11, 2025

I now wondering if we should use swagger to parse the open api file at all (rhino?)

I was wondering the same. This thing brings A LOT OF dependencies. It's insane. Wondering if just jackson would do.

@ricardozanini ricardozanini merged commit 6bce0c6 into serverlessworkflow:main Dec 11, 2025
3 checks passed
@ricardozanini ricardozanini deleted the fix-cves branch December 11, 2025 21:02
@fjtirado
Copy link
Collaborator

fjtirado commented Dec 12, 2025

Maybe we should try this one https://github.com/openapi-processor/openapi-parser/tree/master/openapi-parser, but it does not cover openapi 2.0 files.
We can use plain jackson, but we will need to generate the POJOS from the 2.0 and 3.0 schema.

@mcruzdev mcruzdev mentioned this pull request Dec 12, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fjtirado fjtirado fjtirado approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ricardozanini @fjtirado