chore(deps): update dependency io.lettuce:lettuce-core to v6.5.1.release [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
io.lettuce:lettuce-core	6.3.1.RELEASE -> 6.5.1.RELEASE

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-q4h9-7rxj-7gx2

Summary

Note: i'm reporting this in this way purely because it's private and i don't want to broadcast vulnerabilities.

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Details

https://github.com/redis/lettuce/blob/main/pom.xml#L67C9-L67C53 The netty version pinned here is currently

<netty.version>4.1.113.Final</netty.version>

This version is vulnerable according to Snyk and is affecting one of our products:

Here is a link to the CVE

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.
Not applicable

Impact

What kind of vulnerability is it? Who is impacted?
Denial of Service, affecting Windows users.

---

Release Notes

lettuce-io/lettuce-core (io.lettuce:lettuce-core)

v6.5.1.RELEASE

Compare Source

What's Changed

• Bump to netty 4.1.115.Final to consume the security fix for CVE-2024-47535 by @​tishun
• Restore API that was incidently deleted when introducing the JSON feature by @​tishun in https://github.com/redis/lettuce/pull/3065
• Propagate handshake failures to Handshake future @​mp911de in https://github.com/redis/lettuce/pull/3058
• Json commands not exposed in AsyncCluster by @​tishun in https://github.com/redis/lettuce/pull/3048
• OpsForGeo producing "READONLY You can't write against a read only replica " by @​ggivo in https://github.com/redis/lettuce/pull/3032
• WATCH is now working in the same time as MULTI when called inside a MULTI by @​tishun in https://github.com/redis/lettuce/pull/3027

Full Changelog: redis/lettuce@6.5.0.RELEASE...6.5.1.RELEASE

v6.5.0.RELEASE

Compare Source

⭐ New Features

• Introducing JSON to Lettuce (#​2992)
• Add support for the CLUSTER MYSHARDID command (#​2920)
• Add support for the CLUSTER LINKS command (#​2986)
• Add support for the CLIENT TRACKINGINFO command (#​2862)
• Default ClientOptions.timeoutOptions to TimeoutOptions.enabled() (#​2927)
• Propagate database number, user, and RedisURI into Tracing (#​3005)
• Add support for creating regex and subnet-based ReadFrom instances from a single string (#​3016)
• Add hasNoSlots() method to RedisClusterNode (#​3015)

🐞 Bug Fixes

• Initialize slots with empty BitSet in RedisClusterNode's constructors (#​2341)
• fix(2971): spublish typo fix (#​2972)
• Update completeExceptionally on ClusterCommand using super (#​2980)
• Add defensive copy for Futures allOf() method (#​2943)
• fix:deadlock when reentrant exclusive lock #​2905 #​2879 (#​2961)
• ClassNotFoundException: com.fasterxml.jackson.core.JsonProcessingException (#​2993)
• ScanIterator.scan.stream().toList() causes "java.lang.IllegalStateException: Accept exceeded fixed size of 0" on Java 16+ (#​3002)
• fix: Lcs response parse (#​2970)
• Resubscribe logic ignoring Pub/Sub shard channels after reconnect. (#​3024)
• Command interface - issues with async array results (#​3033)

💡 Other

• Add badges to the README.md file (#​2939)
• Convert wiki to markdown docs (#​2944)
• Add the Github repo url to the doc config (#​3008)
• document update regarding addressResolverGroup settings (#​3007)
• Add CodeCov configuration, enable test analytics (#​3023)
• io.lettuce.core.RedisCommandExecutionException: NOAUTH Authentication required on CLIENT and READONLY command (#​3035)
• Bump org.jacoco:jacoco-maven-plugin from 0.8.9 to 0.8.12 (#​2921)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.2.5 to 3.3.1 (#​2922)
• Bump org.apache.maven.plugins:maven-failsafe-plugin from 3.2.5 to 3.3.1 (#​2958)
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.7.0 to 3.8.0 (#​2957)
• Bump org.apache.maven.plugins:maven-surefire-plugin from 3.3.1 to 3.4.0 (#​2968)
• Bump org.hdrhistogram:HdrHistogram from 2.1.12 to 2.2.2 (#​2966)
• Bump org.apache.maven.plugins:maven-compiler-plugin from 3.12.1 to 3.13.0 (#​2978)
• Bump org.apache.logging.log4j:log4j-bom from 2.17.2 to 2.24.0 (#​2988)
• Bump io.netty:netty-bom from 4.1.107.Final to 4.1.113.Final (#​2990)
• Suspected change in ubuntu causing CI failures (#​2949)
• MKdocs styling update (#​3034)

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​zeze1004 made their first contribution in https://github.com/redis/lettuce/pull/2852
• @​jkrauze made their first contribution in https://github.com/redis/lettuce/pull/2972
• @​Roiocam made their first contribution in https://github.com/redis/lettuce/pull/2961
• @​jinkshower made their first contribution in https://github.com/redis/lettuce/pull/2943
• @​joshrotenberg made their first contribution in https://github.com/redis/lettuce/pull/3008
• @​nosan made their first contribution in https://github.com/redis/lettuce/pull/3016
• @​wmxl made their first contribution in https://github.com/redis/lettuce/pull/3015
• @​winguse made their first contribution in https://github.com/redis/lettuce/pull/3007
• @​jabolina made their first contribution in https://github.com/redis/lettuce/pull/2970

Full Changelog: redis/lettuce@6.4.0.RELEASE...6.5.0.RELEASE

v6.4.1.RELEASE

Compare Source

🐞 Bug Fixes

• (crossport to 6.4.x) spublish typo fix (#​2972)
• Sharded PubSub subscriptions not recovered after disconn… #​2940
• Implement missing method in the BooleanListOutput (#​3033)
• Add defensive copy for Futures allOf() method (#​2943)
• fix:deadlock when reentrant exclusive lock #​2905 #​2879 (#​2961)

Full Changelog: redis/lettuce@6.4.0.RELEASE...6.4.1.RELEASE

v6.4.0.RELEASE

Compare Source

⭐ New Features

• Implement HPEXPIRE, HPEXPIREAT, HPEXPIRETIME, HTTL and HPTTL` (#​2857)
• Implement HEXPIRE, HEXPIREAT, HEXPIRETIME and HPERSIST (#​2836)
• Mark dnsResolver(DnsResolver) as deprecated. (#​2855)
• implementation of PUBSUB SHARDCHANNELS (#​2793)
• Add support for SUNSUBSCRIBE #​2759 (#​2851)
• Add support for SPUBLISH (#​2838)
• Add a evalReadOnly overload that accepts the script as a String (#​2868)
• XREAD support for reading last message from stream (#​2863)
• Send the CLIENT SETINFO command in a fire-and-forget way (#​2823)
• Add support CLIENT KILL [MAXAGE] (#​2782)
• Support HSCAN with NOVALUES argument (#​2816)
• Server addressed the issues of empty list returned for missing keys (#​2899)

🐞 Bug Fixes

• Remove not readonly commands #​2832 (#​2871)
• Handle NPE (#​2906)

💡 Other

• Fixed the release flow (#​2896)
• Setting the next release to be 6.4.x as part of #​2880 (#​2881)
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.4.1 (#​2875)
• Bump org.apache.maven.plugins:maven-assembly-plugin from 3.6.0 to 3.7.1 by @​dependabot (#​2887)
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.6.3 to 3.7.0 (#​2873)
• Bump org.apache.commons:commons-pool2 from 2.11.1 to 2.12.0 (#​2877)
• Bump org.codehaus.mojo:flatten-maven-plugin from 1.5.0 to 1.6.0 (#​2874)
• Bump org.openjdk.jmh:jmh-generator-annprocess from 1.21 to 1.37 (#​2876)
• Bump reactor.version from 3.6.4 to 3.6.6 by @​dependabot (#​2889)
• Add release drafter workflow (#​2820)
• Applying code formatter each time we run a Maven build (#​2841)
• Flaky integration test frequently fails the pipeline (#​2844)
• GitHub issue template polishing and stale issues action (#​2833)
• Attempt to stabilize integration tests (#​2825)
• Add snapshot and release workflows (#​2810)
• Fix license in POM (#​2812)
• Created CodeQL analysis configuration by modifying suggested template (#​2811)
• bump setup-java to v4 (#​2807)
• Added unit tests for most of the pubsub classes that did not have any (#​2808)
• Change the license to more permissive MIT (#​2803)
• CI/CD quickstart (#​2777)
• Updated release acton (as part of #​2880) by @​tishun in https://github.com/redis/lettuce/pull/2885
• Fixed the release flow by @​tishun in https://github.com/redis/lettuce/pull/2896

❤️ Contributors

We'd like to thank all the contributors who worked on this release!
@​BalmungSan, @​atakavci, @​dengliming, @​dependabot, @​dependabot[bot], @​gerzse, @​mp911de, @​sullis, @​thachlp, @​tishun, @​uglide and @​yfwz100

Full Changelog: redis/lettuce@6.3.0.RELEASE...6.4.0.RELEASE

v6.3.2.RELEASE

Compare Source

📗 Links

• Reference documentation: https://lettuce.io/core/6.3.2.RELEASE/reference/
• Javadoc: https://lettuce.io/core/6.3.2.RELEASE/api/

⭐ New Features

• Performance: Encoding of keys/values in CommandArgs when using a codec that implements ToByteBufEncoder #​2610
• Switch to ConcurrentLinkedQueue to avoid expensive size calls #​2602
• Use HashedWheelTimer for command expiration management to reduce thread context switches and improve performance #​2773

🐞 Bug Fixes

• Connection reconnect suspended after reconnect to Redis with protected mode #​2770
• Can't PUBLISH when subscribed with RESP3 #​2594

💡 Other

• Upgrade dependencies #​2780

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​Tmpod
• @​ZH379411584
• @​okg-cxf
• @​shikharid
• @​yangty89

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.