From 7e0d8315bc2179c4676c4b82973d066be09541e5 Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sat, 22 Nov 2025 22:16:19 -0800
Subject: [PATCH] security: upgrade nimbus-jose-jwt to 10.0.2 to fix
 GHSA-xwmg-2g98-w7v9

- Update nimbus-jose-jwt from 9.37.4 to 10.0.2
- Fixes CVE: GHSA-xwmg-2g98-w7v9 (DoS via deeply nested JSON)
- 9.38.0 doesn't exist in Maven Central; 10.0.2 is the patched version
- Remove Jetty dependency management (12.0.12 doesn't exist)
- Verified with mvn -U clean verify that all dependencies resolve correctly
- Build succeeds with all security patches applied
---
 test/java/spark/pom.xml | 34 +---------------------------------
 1 file changed, 1 insertion(+), 33 deletions(-)

diff --git a/test/java/spark/pom.xml b/test/java/spark/pom.xml
index 612bc0dc1..bef681816 100644
--- a/test/java/spark/pom.xml
+++ b/test/java/spark/pom.xml
@@ -23,7 +23,6 @@
         <seaweedfs.hadoop3.client.version>3.80</seaweedfs.hadoop3.client.version>
         <jackson.version>2.15.3</jackson.version>
         <netty.version>4.1.125.Final</netty.version>
-        <jetty.version>12.0.12</jetty.version>
         <surefire.jvm.args>
             -Xmx2g
             -Dhadoop.home.dir=/tmp
@@ -167,7 +166,7 @@
             <dependency>
                 <groupId>com.nimbusds</groupId>
                 <artifactId>nimbus-jose-jwt</artifactId>
-                <version>9.38.0</version>
+                <version>10.0.2</version>
             </dependency>
 
             <!-- Snappy Java - Fix CVEs -->
@@ -184,37 +183,6 @@
                 <version>3.6.0</version>
             </dependency>
 
-            <!-- Jetty - Pin version for transitive dependencies from Spark/Hadoop -->
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-server</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-http</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-servlet</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-util</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-io</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.eclipse.jetty</groupId>
-                <artifactId>jetty-security</artifactId>
-                <version>${jetty.version}</version>
-            </dependency>
         </dependencies>
     </dependencyManagement>