[Snyk] Security upgrade org.hibernate:hibernate-validator from 4.3.1.Final to 6.2.0.Final

[lcrowther-snyk]

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• todolist-web-common/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Arbitrary Code Injection SNYK-JAVA-ORGHIBERNATE-15702517	156	org.hibernate:hibernate-validator: 4.3.1.Final -> 6.2.0.Final Major version upgrade No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-ORGHIBERNATE-15702518	99	org.hibernate:hibernate-validator: 4.3.1.Final -> 6.2.0.Final Major version upgrade No Path Found No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection
🦉 Cross-site Scripting (XSS)

[lcrowther-snyk]

This is a major upgrade across two major versions (v4 to v6), introducing significant breaking changes. The upgrade moves from implementing Bean Validation 1.0 to Bean Validation 2.0. This requires code, dependency, and configuration changes.

Key Breaking Changes:

• Maven groupId Change: The Maven groupId has changed from org.hibernate to org.hibernate.validator. You must update your pom.xml or build scripts accordingly.
• Java Requirement: Hibernate Validator 6.2 requires at least Java 8.
• Specification Upgrade: The library now implements Bean Validation 2.0 (JSR 380). This brings new features but also changes to the API.
  • The proprietary method validation from version 4 has been removed and replaced by the standardized API in Bean Validation 1.1 and later. Code using org.hibernate.validator.method must be refactored.
• API Removals:
  • Many classes deprecated in version 4.3 have been removed.
  • The @SafeHtml constraint has been removed in version 6.2.
  • Hibernate-specific constraints like @NotBlank and @Email are deprecated in favor of the standard javax.validation.constraints versions.
• Behavioral Changes: For security reasons, Expression Language (EL) evaluation is now disabled by default for custom violation messages.
• Dependency Changes: You must ensure you are using the Bean Validation 2.0 API (javax.validation:validation-api) and have an Expression Language implementation (like org.glassfish:jakarta.el) on your classpath.

Recommendation:
This is a high-effort migration. It is critical to update the Maven groupId and refactor code that relies on APIs removed since version 4.3. Thoroughly test all validation logic, especially custom method validations and custom violation messages.

Source: Hibernate Validator Migration Guide

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.