Merge pull request #580 from microsoft/dev

tvaron3 · web-flow · commit 05153e350e0a · 2025-02-24T16:58:11.000-08:00
Merge Dev into Main for a release
diff --git a/.github/workflows/mavenCI.yml b/.github/workflows/mavenCI.yml
@@ -31,7 +31,7 @@ jobs:
       run: ./src/docker/startup.ps1
       if: github.ref == 'refs/heads/main'
     - name: Upload JaCoCo coverage report
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: jacoco-report
         path: target/site/jacoco/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,12 @@
 ## Release History
+### 1.17.0 (2025-02-24)
+#### Key Bug Fixes
+* Updated `azure-cosmos` version to 4.67.0 to address these security vulnerabilities.
+  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25193,
+  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24970
+* Added direct dependency on json smart to address the security vulnerability. - [PR 579](https://github.com/microsoft/kafka-connect-cosmosdb/pull/579)
+  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-57699
+
 ### 1.16.0 (2024-11-21)
 #### New Features
 * Updated `azure-cosmos` version to 4.65.0.
diff --git a/pom.xml b/pom.xml
@@ -7,7 +7,7 @@
 
     <groupId>com.azure.cosmos.kafka</groupId>
     <artifactId>kafka-connect-cosmos</artifactId>
-    <version>1.16.0</version>
+    <version>1.17.0</version>
 
     <name> kafka-connect-cosmos</name>
     <url>https://github.com/microsoft/kafka-connect-cosmosdb</url>
@@ -48,13 +48,19 @@
         <dependency>
             <groupId>com.azure</groupId>
             <artifactId>azure-cosmos</artifactId>
-            <version>4.65.0</version>
+            <version>4.67.0</version>
         </dependency>
         <dependency>
             <groupId>com.jayway.jsonpath</groupId>
             <artifactId>json-path</artifactId>
             <version>2.9.0</version>
         </dependency>
+        <!-- remove once jsonpath increments version -->
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>2.5.2</version>
+        </dependency>
 
         <!-- Apache commons -->
         <dependency>
