Support jdk25

[CrazyHZM]

Summary by CodeRabbit

• Chores
  • CI matrix extended to include JDK 25‑ea; GitHub Actions and setup tooling upgraded.
  • Project and build tooling bumped (Spring Boot parent, plugins, coverage and bytecode tooling, Gradle wrapper upgraded to a newer version).
• Tests
  • CI builds now run on JDK 25‑ea to validate cross‑version compatibility.

[coderabbitai]

Walkthrough

Updated CI workflow to include JDK 25-ea and upgraded GitHub Action versions; bumped Spring Boot parent and <spring.boot.version> in the root POM; updated JaCoCo and ASM properties; upgraded Spring Boot Gradle Plugin, dependency-management-plugin, Spring Core, and the Gradle wrapper version.

Changes

Cohort / File(s)	Summary of changes
CI workflow .github/workflows/maven.yml	Extended Maven matrix to include JDK 25-ea; updated actions/checkout v4→v5 and actions/setup-java v4→v5.
Root Maven POM pom.xml	Bumped parent version and <spring.boot.version> 3.5.3 → 3.5.6.
Dependency POM (JaCoCo & ASM) sofa-boot-project/sofaboot-dependencies/pom.xml	Updated properties: maven-jacoco-plugin.version 0.8.11 → 0.8.13; asm.version 9.5 → 9.8.
Gradle plugin POM sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml	Bumped plugin dependencies: org.springframework.boot:spring-boot-gradle-plugin 3.1.2 → 3.5.6; io.spring.gradle:dependency-management-plugin 1.1.0 → 1.1.7.
Gradle build & wrapper sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle, sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/gradle/wrapper/gradle-wrapper.properties	Aligned Gradle build dependency versions (Spring Boot, spring-boot-loader-tools, Spring Core) to newer releases; updated Gradle wrapper 8.4 → 9.1.0 via distribution URL change.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer (PR)
    participant GH as GitHub Actions
    participant Checkout as actions/checkout v5
    participant SetupJava as actions/setup-java v5
    participant Maven as Maven (matrix incl. JDK 25-ea)
    participant Repo as Repository (updated POMs/plugins)

    Dev->>GH: push PR
    GH->>Checkout: checkout repository (v5)
    GH->>SetupJava: install Java runtimes (includes 25-ea)
    GH->>Maven: run build across matrix
    Maven->>Repo: read updated POMs/plugins and Gradle wrapper
    Maven-->>GH: build/test results
    GH-->>Dev: report status

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

Possibly related PRs

• Upgrade spring boot version to 3.4.4 #1365 — also updates Spring Boot parent/version in pom.xml.
• Upgrade spring boot version to 3.5.3 #1379 — another PR that modifies Spring Boot version in pom.xml.
• update dependencies #1323 — performs dependency/version bumps in the same Maven modules (dependency properties updates).

Suggested reviewers

• HzjNeverStop
• crazysaltfish

Poem

I hop through code with whiskers bright,
I nudge the versions late at night.
CI learns a newer Java tune,
Plugins hum beneath the moon.
Carrot merge — now tap the light! 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Support jdk25" is concise and directly describes the primary intent of the changeset—adding JDK 25 to the CI matrix (maven.yml) and related updates to align dependencies and build tooling, which matches the branch name and PR objectives. It is specific enough for a reviewer scanning history to understand the main change without unnecessary detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/maven.yml (2)

19-19: JDK 25 in matrix: good. Also bump setup-java to v5 for smoother 25 support.

actions/setup-java v5 has the latest fixes and docs; Temurin 25 GA is rolling out now. Recommend upgrading the action and enabling check-latest for 25 to avoid stale caches. (github.com)

Apply:

-    - name: Set up JDK
-      uses: actions/setup-java@v4
+    - name: Set up JDK
+      uses: actions/setup-java@v5
       with:
         distribution: 'temurin'
-        java-version: ${{ matrix.jdk }}
+        java-version: ${{ matrix.jdk }}
+        check-latest: ${{ matrix.jdk == 25 }}
+        cache: 'maven'

---

27-33: Zookeeper 3.5.6 is EOL and likely brittle on JDK 25—upgrade to 3.8.x/3.9.x.

3.5.x is long EOL; current/stable are 3.9.x/3.8.x. Running the 2019-era 3.5.6 server under JDK 25 risks startup/runtime failures. Upgrade the test server to 3.9.3 (or 3.8.4). (zookeeper.apache.org)

Apply:

-    - name: Install Zookeeper
-      run: echo "Install Zookeeper 3.5.6"
-        && wget https://archive.apache.org/dist/zookeeper/zookeeper-3.5.6/apache-zookeeper-3.5.6-bin.tar.gz
-        && tar -zxf apache-zookeeper-3.5.6-bin.tar.gz
-        && mv apache-zookeeper-3.5.6-bin/conf/zoo_sample.cfg apache-zookeeper-3.5.6-bin/conf/zoo.cfg
-        && /bin/bash apache-zookeeper-3.5.6-bin/bin/zkServer.sh start
+    - name: Install ZooKeeper 3.9.3
+      run: |
+        echo "Install ZooKeeper 3.9.3"
+        wget https://archive.apache.org/dist/zookeeper/zookeeper-3.9.3/apache-zookeeper-3.9.3-bin.tar.gz
+        tar -zxf apache-zookeeper-3.9.3-bin.tar.gz
+        mv apache-zookeeper-3.9.3-bin/conf/zoo_sample.cfg apache-zookeeper-3.9.3-bin/conf/zoo.cfg
+        /bin/bash apache-zookeeper-3.9.3-bin/bin/zkServer.sh start

Optional: run ZK as a service container instead of tarball for faster, reproducible CI.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f4326d7 and 19a7c2b.

📒 Files selected for processing (1)

• .github/workflows/maven.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: sca

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pom.xml (2)

40-40: Avoid divergence between parent and property: bind spring.boot.version to parent.

Tie the property to the parent so future bumps don’t drift.

-        <spring.boot.version>3.5.6</spring.boot.version>
+        <spring.boot.version>${project.parent.version}</spring.boot.version>

---

47-47: Typo: maven.gpg.pluign → maven.gpg.plugin (property and usage).

Spelling inconsistency is easy to miss later; fix both declaration and reference.

-        <maven.gpg.pluign>1.6</maven.gpg.pluign>
+        <maven.gpg.plugin>1.6</maven.gpg.plugin>
@@
-                        <version>${maven.gpg.pluign}</version>
+                        <version>${maven.gpg.plugin}</version>

Also applies to: 106-106

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2283b0e and e44e639.

📒 Files selected for processing (2)

• .github/workflows/maven.yml (1 hunks)
• pom.xml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/maven.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build (21)
• GitHub Check: build (17)
• GitHub Check: build (25)
• GitHub Check: sca

🔇 Additional comments (2)

pom.xml (2)

42-42: Confirm intent: target Java 17 while building/running on JDK 25.

If you want to compile for 17 but build on 25, this is fine. If you need toolchains to force 17 for compilation, say so and I’ll propose a snippet.

---

27-27: Upgrade to Spring Boot parent 3.5.6 — verify JDK‑25 compatibility and managed plugin versions

• Finding: Spring Boot 3.5.6 is documented as compatible up to Java 24 (not Java 25). ASM 9.8 adds Java‑25 support; Surefire/Failsafe 3.5.4+ ship asm 9.8.
• Action: If you intend to run on JDK 25, ensure maven-surefire-plugin and maven-failsafe-plugin are >= 3.5.4 and the maven-compiler-plugin is JDK‑25‑ready; otherwise target Java 24 or delay the upgrade.
• I could not inspect your effective POM here (sandbox: mvn not found) — run locally to verify/pin plugin versions:

mvn -v
mvn -q help:effective-pom -DforceStdout | rg -nP '(maven-(surefire|failsafe|compiler)-plugin).*?[^<]+' -C2

Location: pom.xml (line 27): 3.5.6

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.94%. Comparing base (f4326d7) to head (4488e72).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #1390      +/-   ##
============================================
+ Coverage     82.92%   82.94%   +0.02%     
- Complexity     2972     2974       +2     
============================================
  Files           340      340              
  Lines          9833     9833              
  Branches       1178     1178              
============================================
+ Hits           8154     8156       +2     
  Misses         1164     1164              
+ Partials        515      513       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml (1)

21-24: Avoid version drift: use ${spring.boot.version} instead of a literal.

This keeps the Gradle plugin aligned with the root property and prevents divergence during future bumps.

Apply:

 <dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-gradle-plugin</artifactId>
-  <version>3.5.6</version>
+  <version>${spring.boot.version}</version>
 </dependency>

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dc74e43 and 0fcc66c.

📒 Files selected for processing (4)

• .github/workflows/maven.yml (1 hunks)
• pom.xml (2 hunks)
• sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml (1 hunks)
• sofa-boot-project/sofaboot-dependencies/pom.xml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/maven.yml
• sofa-boot-project/sofaboot-dependencies/pom.xml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build (17)
• GitHub Check: build (25-ea)
• GitHub Check: build (21)
• GitHub Check: sca

🔇 Additional comments (2)

sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml (1)

21-24: Gradle wrapper OK — no change required.

sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/gradle/wrapper/gradle-wrapper.properties sets distributionUrl=gradle-8.4-bin.zip, which satisfies Spring Boot 3.5's Gradle requirement (8.4+). Also monitor JaCoCo on JDK 25 builds and ensure the project uses a Jacoco release with full Java 25 support.

pom.xml (1)

27-27: Make JDK 25‑ea non‑blocking in CI until upstream supports Java 25.
Found in .github/workflows/maven.yml — matrix.jdk: [17, 21, 25-ea]; make the 25-ea run allowed-to-fail (e.g., conditional continue-on-error or remove it) to avoid blocking builds.

[coderabbitai]

🛠️ Refactor suggestion

🧩 Analysis chain

Property bump aligned; keep all modules sourcing this single property.

Ensure no other POMs hardcode a different Spring Boot version (e.g., plugins, BOMs). If any do, switch them to ${spring.boot.version} for single‑point control.

Quick check:

---

🏁 Script executed:

#!/bin/bash
rg -nP '\bspring-boot(?:-gradle-plugin|-dependencies)?["<:][^>"]*3\.\d+\.\d+' -g '!**/target/**'

Length of output: 148

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "PWD: $(pwd)"
rg --version 2>/dev/null || true
echo

echo "=== CHECK: spring.boot.version property definitions ==="
rg -n --hidden --no-ignore -S -C2 -g '**/*' -g '!**/target/**' '<spring\.boot\.version>\s*[^<]+</spring\.boot\.version>' || true
echo

echo "=== CHECK: usages of \${spring.boot.version} ==="
rg -n --hidden --no-ignore -S -C2 -g '**/*' -g '!**/target/**' '\$\{spring\.boot\.version\}' || true
echo

echo "=== CHECK: explicit <version>3.x in pom.xml ==="
rg -n --hidden --no-ignore -S -C3 -g '**/pom.xml' '<version>\s*3\.\d+\.\d+\s*</version>' || true
echo

echo "=== CHECK: any 3.x version in build files (pom.xml, build.gradle*) ==="
rg -n --hidden --no-ignore -S -C2 -g '**/pom.xml' -g '**/build.gradle*' -g '**/build.gradle.kts' '3\.\d+\.\d+' || true
echo

echo "=== CHECK: spring-boot plugin / BOM references in pom.xml ==="
rg -n --hidden --no-ignore -S -C3 -g '**/pom.xml' '<artifactId>spring-boot-maven-plugin</artifactId>|<artifactId>spring-boot-dependencies</artifactId>|<artifactId>spring-boot-gradle-plugin</artifactId>' || true
echo

echo "=== CHECK: org.springframework.boot references in Gradle files (context) ==="
rg -n --hidden --no-ignore -S -C3 -g '**/build.gradle*' -g '**/build.gradle.kts' 'org\.springframework\.boot' || true
echo

echo "=== CHECK: occurrences of 'spring-boot' with nearby version numbers ==="
rg -n --hidden --no-ignore -S -C3 -g '**/pom.xml' -g '**/build.gradle*' 'spring-boot[^<\n\r]*3\.' || true
echo

echo "=== DONE ==="

Length of output: 12460

---

Centralize Spring Boot version — replace hardcoded 3.5.6 with ${spring.boot.version}

• Root pom defines <spring.boot.version> 3.5.6 (pom.xml:40) — keep this as the single source of truth.
• Hardcoded occurrences found; update them to use the shared property or a shared Gradle version:
  • pom.xml — parent 3.5.6 (pom.xml:27). Note: a property defined in the same POM cannot be used to resolve its parent version; either keep the parent version manually aligned or move the property to a higher-level parent/CI-managed place.
  • sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml — org.springframework.boot:spring-boot-gradle-plugin has 3.5.6; replace with ${spring.boot.version}.
  • sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle — explicit versions: 'org.springframework.boot:spring-boot-gradle-plugin:3.1.2' and 'org.springframework.boot:spring-boot-loader-tools:3.0.2'; switch to a shared Gradle property (gradle.properties or version catalog) set to 3.5.6.
• Re-run a repo-wide search for any remaining spring-boot 3.x literals and align them to the single source.

🤖 Prompt for AI Agents

pom.xml lines ~40: the Spring Boot version is hardcoded in several places;
replace literal 3.5.6 usages with the shared property ${spring.boot.version}
where allowed (e.g., module poms and plugin declarations), but do not attempt to
use the property for this POM’s parent <version> (a property in the same POM
cannot resolve parent version) — either keep the parent version manually synced
or move the spring.boot.version property to a higher-level parent or CI-managed
BOM; update sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml to
use ${spring.boot.version} for
org.springframework.boot:spring-boot-gradle-plugin, and change
sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle to read
the Spring Boot versions from a shared Gradle property or version catalog (move
3.1.2/3.0.2 to gradle.properties or catalog and set them to 3.5.6), then run a
repo-wide search to replace any remaining literal spring-boot 3.x versions with
the centralized property or Gradle catalog entry.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/gradle/wrapper/gradle-wrapper.properties (1)

3-3: Gradle 9.1 aligns with Java 25; add wrapper checksum and regen scripts.

• Gradle 9.0 only supports running on up to Java 24; 9.1 introduces full Java 25 support. Please keep 9.1, but add distributionSha256Sum for supply‑chain integrity and regenerate wrapper files via ./gradlew wrapper. (docs.gradle.org)

Apply this diff (replace the placeholder with the official SHA‑256 for gradle‑9.1.0‑bin.zip):

 distributionUrl=https\://services.gradle.org/distributions/gradle-9.1.0-bin.zip
+distributionSha256Sum=<sha256-of-gradle-9.1.0-bin.zip>

Run:

• ./gradlew wrapper --gradle-version 9.1.0 --gradle-distribution-sha256-sum
• Verify ./gradlew and ./gradlew.bat updated and executable bits preserved.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c50973 and 4488e72.

📒 Files selected for processing (6)

• .github/workflows/maven.yml (1 hunks)
• pom.xml (2 hunks)
• sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle (1 hunks)
• sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/gradle/wrapper/gradle-wrapper.properties (1 hunks)
• sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml (1 hunks)
• sofa-boot-project/sofaboot-dependencies/pom.xml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• pom.xml
• .github/workflows/maven.yml
• sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/pom.xml
• sofa-boot-project/sofaboot-dependencies/pom.xml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build (25-ea)
• GitHub Check: build (17)
• GitHub Check: build (21)
• GitHub Check: sca

🔇 Additional comments (1)

sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle (1)

18-20: Version bumps look correct and JDK25‑ready.

spring‑boot‑gradle‑plugin and spring‑boot‑loader‑tools 3.5.6 exist and are current; dependency‑management‑plugin 1.1.7 is latest on the portal. These should work with Gradle 9.x. (plugins.gradle.org)

To be safe with Gradle 9/Java 25, please run a matrix build on JDK 17/21/25 and check for deprecations/config‑cache warnings from these plugins.

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Upgrade commons‑compress; 1.19 is years old and vulnerable (DoS CVEs fixed in ≥1.26).

• CVE‑2024‑25710 and CVE‑2024‑26308 affect versions prior to 1.26; current is 1.28.0. Recommend ≥1.26.0, ideally 1.28.0. (commons.apache.org)

-    implementation "org.apache.commons:commons-compress:1.19"
+    implementation "org.apache.commons:commons-compress:1.28.0"

After bump, scan for transitive conflicts and run tests.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle"
echo "PWD: $(pwd)"
if [ -f "$FILE" ]; then
  echo "== File: $FILE ==\n"
  nl -ba "$FILE" | sed -n '1,200p'
  echo -e "\n== Lines 18-24 ==\n"
  nl -ba "$FILE" | sed -n '18,24p'
else
  echo "File not found: $FILE"
  echo "Searching repo for 'commons-compress'..."
  rg -n --hidden -S 'commons-compress' || true
fi

Length of output: 149

---

🌐 Web query:

commons-compress CVE-2024-25710
commons-compress CVE-2024-26308
Apache Commons Compress release notes 1.26 1.28.0
commons-compress latest version

💡 Result:

Short summary and sources:

• Apache Commons Compress release notes (versions and dates): release page shows 1.26.0 (2024-02-17) and latest 1.28.0 (2025-07-26). [1]

• CVE-2024-25710: infinite-loop (loop with unreachable exit) affecting commons-compress 1.3 through 1.25.0; fixed by upgrading to 1.26.0. [2]

• CVE-2024-26308: resource-allocation / resource-exhaustion issue affecting commons-compress 1.21 up to before 1.26; fixed by upgrading to 1.26. [3]

• Latest commons-compress version (per Apache release notes): 1.28.0 (published 2025-07-26). [1]

Sources:
[1] Apache Commons Compress — Release Notes (versions 1.26.0, 1.28.0).
[2] CVE-2024-25710 advisory (Amazon Linux / CVE entry).
[3] CVE-2024-26308 details (NVD / OSV entries).

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
FILE="sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle"
echo "PWD: $(pwd)"
if [ -f "$FILE" ]; then
  echo "== File: $FILE =="
  awk '{printf "%5d  %s\n", NR, $0}' "$FILE" | sed -n '1,200p'
  echo -e "\n== Lines 18-24 =="
  awk '{printf "%5d  %s\n", NR, $0}' "$FILE" | sed -n '18,24p'
else
  echo "File not found: $FILE"
fi
echo -e "\n== Repo search for commons-compress =="
rg -n --hidden -S 'org.apache.commons:commons-compress' || true
rg -n --hidden -S 'commons-compress' || true

Length of output: 2614

---

🌐 Web query:

Apache Commons Compress release notes 1.26.0 1.28.0
commons-compress CVE-2024-25710
commons-compress CVE-2024-26308
Apache Commons Compress latest version

💡 Result:

Summary and sources

• Release notes:

  • Commons Compress 1.26.0 — released 2024-02-17 (changes list for 1.26.0). [1]
  • Commons Compress 1.28.0 — released 2025-07-26 (changes list for 1.28.0). [1]

• CVEs:

  • CVE-2024-25710 — infinite-loop / DoS affecting commons-compress 1.3 through 1.25.0; fixed in 1.26.0. [2][4]
  • CVE-2024-26308 — resource-exhaustion / OutOfMemory when unpacking broken Pack200 files affecting 1.21–1.25; fixed in 1.26.0. [2][5]

• Latest version (as of today, 2025-09-23): Apache Commons Compress 1.28.0. [1][3]

Sources

1. Apache Commons Compress — Release notes / changes (includes 1.26.0 and 1.28.0).
2. Apache Commons Compress — Security reports (lists CVE-2024-25710 and CVE-2024-26308 fixed in 1.26.0).
3. Apache Commons Compress — Download page (1.28.0 distribution).
4. ALAS / CVE-2024-25710 entry (details and advisories).
5. CVE databases / advisories for CVE-2024-26308 (details and remediation).

---

Upgrade commons-compress to >=1.26.0 (recommend 1.28.0)

commons-compress 1.19 is vulnerable (CVE‑2024‑25710, CVE‑2024‑26308); fixes were released in 1.26.0 and 1.28.0 is current.

Location: sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle (line 21)

-    implementation "org.apache.commons:commons-compress:1.19"
+    implementation "org.apache.commons:commons-compress:1.28.0"

After bump, scan for transitive conflicts and run the test suite.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	implementation "org.apache.commons:commons-compress:1.19"
	implementation "org.springframework:spring-core:6.0.2"
	implementation "org.springframework:spring-core:6.2.11"
	implementation "org.apache.commons:commons-compress:1.28.0"
	implementation "org.springframework:spring-core:6.2.11"

🤖 Prompt for AI Agents

In sofa-boot-project/sofa-boot-tools/sofa-boot-gradle-plugin/build.gradle around
lines 21-22 the project depends on commons-compress:1.19 which is vulnerable;
update the dependency to at least 1.26.0 (recommend setting implementation
"org.apache.commons:commons-compress:1.28.0"), then refresh dependencies,
resolve any transitive version conflicts (force or align versions in
dependencyManagement or via resolutionStrategy as needed), and run the full test
suite and a vulnerability scan to confirm the issue is resolved.