Epic: Dependabot PR Cleanup and Security Updates #640
Description
Motivation
We have accumulated open dependabot PRs, some dating back to May 2024. Many target versions that need review. Maintaining project reputation requires keeping dependencies current, addressing security vulnerabilities promptly, and keeping our PR backlog clean and actionable.
Current Status (as of Dec 3, 2025)
Quick Wins - Patch/Minor Updates
| PR | Dependency | Current | Target | Status |
|---|---|---|---|---|
| #662 | webpack-dev-middleware | 5.3.3 | 5.3.4 | ✅ Merged |
| #661 | cross-spawn | 7.0.3 | 7.0.6 | ✅ Merged |
| #663 | rollup | 2.76.0 | 2.79.2 | ✅ Merged |
| #652 | handlebars | 4.3.1 | 4.5.0 | ✅ Merged |
GitHub Actions Updates
| PR | Action | Current | Target | Status |
|---|---|---|---|---|
| #649 | actions/checkout | v2/v3 | v5 | ✅ Merged |
| #648 | gradle/wrapper-validation-action | v1 | v3 | ✅ Merged |
| #157 | actions/cache | v3 | v4 | ✅ Merged |
| #156 | release-drafter | v5 | v6 | ✅ Merged |
| #677 | cypress-io/github-action | v4 | v6 | ✅ Merged |
| #152 | cypress-io/github-action | v4 | v6 | ☑️ Closed (replaced by #677) |
Major Version Upgrades (require testing)
| PR | Dependency | Current | Target | Status |
|---|---|---|---|---|
| #676 | protobuf (runtime + compiler) | 3.25.5 | 4.33.0 | 🔍 Open - Ready for review (Security fix) |
| #654 | protoc | 3.21.12 | 4.33.0 | ☑️ Closed (superseded by #676) |
| #653 | protobuf-java | 3.25.5 | 4.33.0 | ☑️ Closed (superseded by #676) |
| #651 | jedis | 3.3.0 | 7.0.0 | ⏳ Open - BREAKING major version jump |
| #650 | opensearch client | 2.18.0 | 3.3.2 | 🚫 BLOCKED by #678 - See OpenSearch Epic |
Security Vulnerabilities
- CVE-2024-37890 - ws package 7.5.8 (DoS vulnerability) → tracked in Upgrade ws package to 8.x (CVE-2024-37890) #643
- Protobuf 3.25.5 - Security issue (CVE announced Jan 2025) → 🔍 Fix ready in Upgrade protobuf to 4.33.0 (Security Fix) #676
- actions/cache - Legacy service sunset Feb 1, 2025 → ✅ Now resolved (merged Dec 3, 2025 - 10 months late)
Tracking Issues
- Migrate from com.gradle.enterprise to com.gradle.develocity plugin #641 - Migrate to com.gradle.develocity (closes Bump com.gradle.enterprise from 3.11.1 to 3.18 #240)
- Upgrade io.spring.dependency-management plugin to 1.1.7 #642 - Upgrade io.spring.dependency-management (closes Bump io.spring.dependency-management from 1.0.13.RELEASE to 1.1.6 #201)
- Upgrade ws package to 8.x (CVE-2024-37890) #643 - Upgrade ws to 8.x for CVE-2024-37890 (closes Bump ws from 7.5.8 to 7.5.10 in /ui #188)
- Upgrade protobuf to 4.33.0 (major version, security vulnerability) #644 - Upgrade protobuf to 4.x (closes Bump com.google.protobuf:protobuf-java from 3.21.12 to 4.27.3 #232, Bump com.google.protobuf:protoc from 3.21.12 to 4.27.3 #231) → 🔍 Completed in Upgrade protobuf to 4.33.0 (Security Fix) #676
- Epic: Improve OpenSearch Support and Configuration #678 - Epic: Improve OpenSearch Support (blocks Bump org.opensearch.client:opensearch-rest-high-level-client from 2.18.0 to 3.3.2 #650) → Related issues: Decouple OpenSearch configuration from Elasticsearch namespace #668, Could not initialize class org.opensearch.Version #505, Bug: Terminated tasks with Scheduled status failing to restart on first attempt #615, [FEATURE]: Support Elastic Search 8 (or even 9) #539
Work Completed
PRs Merged (9 total)
- Bump com.github.jknack:handlebars from 4.3.1 to 4.5.0 #652 - handlebars 4.3.1 → 4.5.0
- Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /ui #662 - webpack-dev-middleware 5.3.3 → 5.3.4
- Bump cross-spawn from 7.0.3 to 7.0.6 in /ui #661 - cross-spawn 7.0.3 → 7.0.6
- Bump rollup from 2.76.0 to 2.79.2 in /ui #663 - rollup 2.76.0 → 2.79.2
- Bump actions/checkout from 2 to 5 #649 - actions/checkout v2/v3 → v5
- Bump gradle/wrapper-validation-action from 1 to 3 #648 - gradle/wrapper-validation-action v1 → v3
- Bump actions/cache from 3 to 4 #157 - actions/cache v3 → v4 (critical deadline was Feb 1, 2025 - merged 10 months late)
- Bump release-drafter/release-drafter from 5 to 6 #156 - release-drafter v5 → v6
- Upgrade cypress-io/github-action from v4 to v6 #677 - cypress-io/github-action v4 → v6
Stale/Superseded PRs Closed
- Bump org.jetbrains:annotations from 23.0.0 to 24.1.0 #158 (jetbrains:annotations - module no longer exists)
- Bump com.gradle.enterprise from 3.11.1 to 3.18 #240, Bump io.spring.dependency-management from 1.0.13.RELEASE to 1.1.6 #201, Bump ws from 7.5.8 to 7.5.10 in /ui #188, Bump com.google.protobuf:protobuf-java from 3.21.12 to 4.27.3 #232, Bump com.google.protobuf:protoc from 3.21.12 to 4.27.3 #231, Bump actions/checkout from 2 to 4 #159, Bump mikepenz/action-junit-report from 3 to 4 #154 (outdated dependabot PRs)
- Bump cypress-io/github-action from 4 to 6 #152 (cypress-io/github-action - replaced by Upgrade cypress-io/github-action from v4 to v6 #677)
- Bump com.google.protobuf:protoc from 3.21.12 to 4.33.0 #654, Bump com.google.protobuf:protobuf-java from 3.21.12 to 4.33.0 #653 (protobuf - superseded by Upgrade protobuf to 4.33.0 (Security Fix) #676)
PRs Created
- Upgrade protobuf to 4.33.0 (Security Fix) #676 - Protobuf 4.33.0 security upgrade
- Closes Upgrade protobuf to 4.33.0 (major version, security vulnerability) #644, Bump com.google.protobuf:protobuf-java from 3.21.12 to 4.27.3 #232, Bump com.google.protobuf:protoc from 3.21.12 to 4.27.3 #231
- Supersedes Bump com.google.protobuf:protoc from 3.21.12 to 4.33.0 #654, Bump com.google.protobuf:protobuf-java from 3.21.12 to 4.33.0 #653
- Uses protoc 3.25.5 for codegen + protobuf-java 4.33.0 for runtime
- All builds and gRPC tests passing
- Ready for review
New Tracking Issues Created
- Epic: Improve OpenSearch Support and Configuration #678 - Epic: Improve OpenSearch Support and Configuration
- Addresses configuration issues (Decouple OpenSearch configuration from Elasticsearch namespace #668)
- Fixes runtime errors (Could not initialize class org.opensearch.Version #505, Bug: Terminated tasks with Scheduled status failing to restart on first attempt #615)
- Blocks Bump org.opensearch.client:opensearch-rest-high-level-client from 2.18.0 to 3.3.2 #650 until foundational issues are resolved
- Related to ES8/9 support ([FEATURE]: Support Elastic Search 8 (or even 9) #539)
Remaining Work
Ready for Review
- Upgrade protobuf to 4.33.0 (Security Fix) #676 - Protobuf 4.33.0 security fix
Blocked PRs
- Bump org.opensearch.client:opensearch-rest-high-level-client from 2.18.0 to 3.3.2 #650 - opensearch client upgrade BLOCKED by Epic: Improve OpenSearch Support and Configuration #678 - Must fix OpenSearch foundation first
Open PRs to Evaluate
- Bump redis.clients:jedis from 3.6.0 to 7.0.0 #651 - jedis 3→7 (evaluate compatibility)
Tracking Issues to Complete
- Migrate from com.gradle.enterprise to com.gradle.develocity plugin #641 - gradle.develocity migration
- Upgrade io.spring.dependency-management plugin to 1.1.7 #642 - spring dependency-management upgrade
- Upgrade ws package to 8.x (CVE-2024-37890) #643 - ws 8.x upgrade (CVE-2024-37890)
- Epic: Improve OpenSearch Support and Configuration #678 - OpenSearch support epic (high priority - affects production users)
Progress Summary
✅ Merged: 9 PRs (all quick wins + GitHub Actions updates)
✅ Closed: 15 stale/superseded PRs
🔍 Ready for Review: 1 PR (#676 - protobuf security fix)
🚫 Blocked: 1 PR (#650 - needs #678 resolved first)
⏳ Open: 1 PR (#651 needs evaluation)
📋 Tracking Issues: 4 remaining (#641, #642, #643, #678)
Note: The critical actions/cache deadline (Feb 1, 2025) was missed by 10 months. While the upgrade is now merged, this highlights the importance of staying on top of security-related dependency updates.
New: Created #678 to address OpenSearch support issues holistically before attempting major version upgrades.
Legend
- ✅ Merged/Completed
- 🔍 Ready for review
- 🚫 Blocked
- ⏳ Open/Waiting
- ☑️ Closed/Superseded (no action needed)