Skip to content

Depend on internal artifacts instead of the umbrella artifacts (#9124) (CP: 25.2)#9132

Merged
manolo merged 2 commits into
25.2from
cherry-pick-9124-to-25.2-1783609200254
Jul 10, 2026
Merged

Depend on internal artifacts instead of the umbrella artifacts (#9124) (CP: 25.2)#9132
manolo merged 2 commits into
25.2from
cherry-pick-9124-to-25.2-1783609200254

Conversation

@vaadin-bot

Copy link
Copy Markdown
Contributor

This PR cherry-picks changes from the original PR #9124 to branch 25.2.

Original PR description

Summary

vaadin-jandex, vaadin-core-jandex, vaadin-spring-boot-starter and the vaadin-quarkus extension depended on the vaadin and vaadin-core umbrella artifacts. They now depend on vaadin-internal and vaadin-core-internal, which provide the same classes at runtime (the umbrellas add no runtime dependencies over the internals). vaadin-spring-boot-starter and the quarkus extension get an explicit ${project.version}, since vaadin-core-internal is not managed by the imported BOMs.

Context

This leaves vaadin and vaadin-core as leaf artifacts that no other module in the build depends on. That lets the release publish the rest of the platform (including vaadin-ee) first and publish vaadin and vaadin-core in a later pass, without leaving any published artifact with an unresolvable dependency in between. It also matches how vaadin-ee already builds, using the internal artifacts.

Verified locally: vaadin-jandex, vaadin-core-jandex, vaadin-spring-boot-starter and the quarkus extension build and pass the enforcer.

vaadin-jandex, vaadin-core-jandex, vaadin-spring-boot-starter and the
vaadin-quarkus extension depended on the vaadin and vaadin-core umbrella
artifacts. Point them at vaadin-internal and vaadin-core-internal, which
provide the same classes at runtime. This leaves vaadin and vaadin-core as
leaf artifacts that no other module depends on, so they can be built and
published independently from the rest of the platform.
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Dependencies Report

  • 🚫 Vulnerabilities:

    • Vulnerabilities in: pkg:maven/ch.qos.logback/logback-core@1.5.34 [CVE-2026-10532] (osv-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.4 [CVE-2026-54515] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:fasterxml:jackson-databind::::::::
      · cpe:2.3:a:fasterxml:jackson-databind:2.22.0:::::::*
    • Vulnerabilities in: pkg:maven/tools.jackson.core/jackson-databind@2.21.4 [CVE-2026-54515] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-reflect@2.1.21 [CVE-2026-53914] (owasp)
      · cpe:2.3:a:jetbrains:kotlin::::::::
    • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@2.3.0 [CVE-2026-53914] (owasp)
      · cpe:2.3:a:jetbrains:kotlin::::::::
    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@11.0.22 [CVE-2026-53434, CVE-2026-55276, CVE-2026-53404, CVE-2026-55955, CVE-2026-55956, CVE-2026-50229] (owasp)
      · cpe:2.3:a:apache:tomcat::::::::
  • 🟠 Known Vulnerabilities:

    • Vulnerabilities in: pkg:npm/%40opentelemetry/core@1.9.0 [CVE-2026-54285] (osv-bomber)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.8.0 [CVE-2026-54285] (osv-scan)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:npm/%40opentelemetry%2Fcore@1.9.0 [CVE-2026-54285] (osv-scan)
      👌 Not affected: @opentelemetry/core is a transitive dep of the browser Web SDK and is used only to ORIGINATE spans. The vulnerable W3CBaggagePropagator.extract() (inbound untrusted baggage parsing) is never on the execution path. vulnerable_code_not_in_execute_path.
      ·
    • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
      👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
      · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
      · cpe:2.3:a:ada:ada::::::::
    • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-swing-kit-flow@3.0.1 [CVE-2021-33604] (owasp)
      👌 false report: this CVE is targeting Vaadin version prior 20, swing-kit-flow is using vaadin 24+ version, the related issue has been fixed.
      · cpe:2.3:a:vaadin:flow-server::::::::
      · cpe:2.3:a:vaadin:vaadin::::::::
  • 📔 No Core License Issues

  • 📔 No License Issues

[Click for more Details]

@manolo manolo merged commit 0b5e2c6 into 25.2 Jul 10, 2026
1 of 2 checks passed
@manolo manolo deleted the cherry-pick-9124-to-25.2-1783609200254 branch July 10, 2026 04:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants