From e48bf9a79192a5dcf999fdc0b3171a4df589fbca Mon Sep 17 00:00:00 2001
From: chrislu <chris.lu@gmail.com>
Date: Sat, 22 Nov 2025 20:49:37 -0800
Subject: [PATCH] security: upgrade Jetty from 9.4.53 to 12.0.16

- Upgrade from 9.4.53.v20231009 to 12.0.16 (meets requirement >12.0.9)
- Addresses security vulnerabilities in older Jetty versions
- Externalized version to jetty.version property for easier maintenance
- Added jetty-util, jetty-io, jetty-security to dependencyManagement
- Ensures all Jetty transitive dependencies use secure version
---
 test/java/spark/pom.xml | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/test/java/spark/pom.xml b/test/java/spark/pom.xml
index af75836e3..d59bd37a1 100644
--- a/test/java/spark/pom.xml
+++ b/test/java/spark/pom.xml
@@ -23,6 +23,7 @@
         <seaweedfs.hadoop3.client.version>3.80</seaweedfs.hadoop3.client.version>
         <jackson.version>2.15.3</jackson.version>
         <netty.version>4.1.124.Final</netty.version>
+        <jetty.version>12.0.16</jetty.version>
         <surefire.jvm.args>
             -Xmx2g
             -Dhadoop.home.dir=/tmp
@@ -150,21 +151,36 @@
                 <version>2.2</version>
             </dependency>
 
-            <!-- Jetty - Fix CVEs -->
+            <!-- Jetty - Fix CVEs (upgraded to 12.x for security) -->
             <dependency>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-server</artifactId>
-                <version>9.4.53.v20231009</version>
+                <version>${jetty.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-http</artifactId>
-                <version>9.4.53.v20231009</version>
+                <version>${jetty.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.eclipse.jetty</groupId>
                 <artifactId>jetty-servlet</artifactId>
-                <version>9.4.53.v20231009</version>
+                <version>${jetty.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-util</artifactId>
+                <version>${jetty.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-io</artifactId>
+                <version>${jetty.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.eclipse.jetty</groupId>
+                <artifactId>jetty-security</artifactId>
+                <version>${jetty.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>