Merge pull request #2157 from ballerina-platform/update-protobuf-10.x

[2201.10.x] Address `CVE-2024-7254` vulnerability

.github/workflows/build-with-bal-test-graalvm.yml

@@ -6,7 +6,7 @@ on:
             lang_tag:
                 description: Branch/Release Tag of the Ballerina Lang
                 required: true
-                default: master
+                default: 2201.10.x
             lang_version:
                 description: Ballerina Lang Version (If given ballerina lang buid will be skipped)
                 required: false
@@ -29,6 +29,7 @@ on:
             - 2201.7.x
             - 2201.8.x
             - 2201.9.x
+            - 2201.10.x
         types: [opened, synchronize, reopened, labeled, unlabeled]
 
 concurrency:
@@ -41,7 +42,7 @@ jobs:
         if: ${{ github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository_owner == 'ballerina-platform') }}
         uses: ballerina-platform/ballerina-library/.github/workflows/build-with-bal-test-graalvm-template.yml@main
         with:
-            lang_tag: ${{ inputs.lang_tag }}
+            lang_tag: ${{ inputs.lang_tag || '2201.10.x' }}
             lang_version: ${{ inputs.lang_version }}
             native_image_options: '-J-Xmx7G ${{ inputs.native_image_options }}'
             additional_ubuntu_build_flags: '-x :http-native:test -x :http-compiler-plugin-tests:test ${{ inputs.build_properties }}'

ballerina/Ballerina.toml

@@ -1,7 +1,7 @@
 [package]
 org = "ballerina"
 name = "http"
-version = "2.12.0"
+version = "2.12.1"
 authors = ["Ballerina"]
 keywords = ["http", "network", "service", "listener", "client"]
 repository = "https://github.com/ballerina-platform/module-ballerina-http"
@@ -16,8 +16,8 @@ graalvmCompatible = true
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
 artifactId = "http-native"
-version = "2.12.0"
-path = "../native/build/libs/http-native-2.12.0.jar"
+version = "2.12.1"
+path = "../native/build/libs/http-native-2.12.1-SNAPSHOT.jar"
 
 [[platform.java17.dependency]]
 groupId = "io.ballerina.stdlib"
@@ -169,5 +169,5 @@ path = "./lib/lz4-1.3.0.jar"
 [[platform.java17.dependency]]
 groupId = "com.google.protobufl"
 artifactId = "protobuf-java"
-version = "3.20.3"
-path = "./lib/protobuf-java-3.20.3.jar"
+version = "3.25.5"
+path = "./lib/protobuf-java-3.25.5.jar"

ballerina/CompilerPlugin.toml

@@ -3,7 +3,7 @@ id = "http-compiler-plugin"
 class = "io.ballerina.stdlib.http.compiler.HttpCompilerPlugin"
 
 [[dependency]]
-path = "../compiler-plugin/build/libs/http-compiler-plugin-2.12.0.jar"
+path = "../compiler-plugin/build/libs/http-compiler-plugin-2.12.1-SNAPSHOT.jar"
 
 [[dependency]]
 path = "../compiler-plugin/build/libs/ballerina-to-openapi-2.1.0.jar"

ballerina/Dependencies.toml

@@ -76,7 +76,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.12.0"
+version = "2.12.1"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},

changelog.md

@@ -5,6 +5,12 @@ This file contains all the notable changes done to the Ballerina HTTP package th
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to 
 [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Fixed
+
+- [Address CVE-2024-7254 vulnerability](https://github.com/ballerina-platform/ballerina-library/issues/7013)
+
 ## [2.12.0] - 2024-08-20
 
 ### Added

gradle.properties

@@ -21,7 +21,7 @@ mockitoVersion=5.3.1
 gsonVersion=2.7
 lz4Version=1.3.0
 marshallingVersion=2.0.5.Final
-protobufVersion=3.20.3
+protobufVersion=3.25.5
 jacocoVersion=0.8.10
 ballerinaToOpenApiVersion=2.1.0
 swaggerCoreVersion=2.2.22