Bump lang3 and netty versions

[gayaldassanayake]

Purpose

$ subject

Goals

Describe the solutions that this feature/fix will introduce to resolve the problems described above

Approach

Describe how you are implementing the solutions. Include an animated GIF or screenshot if the change affects the UI (email documentation@wso2.com to review all UI text). Include a link to a Markdown file or Google doc if the feature write-up is too long to paste here.

User stories

Summary of user stories addressed by this change>

Release note

Brief description of the new feature or bug fix as it will appear in the release notes

Documentation

Link(s) to product documentation that addresses the changes of this PR. If no doc impact, enter “N/A” plus brief explanation of why there’s no doc impact

Training

Link to the PR for changes to the training content in https://github.com/wso2/WSO2-Training, if applicable

Certification

Type “Sent” when you have provided new/updated certification questions, plus four answers for each question (correct answer highlighted in bold), based on this change. Certification questions/answers should be sent to certification@wso2.com and NOT pasted in this PR. If there is no impact on certification exams, type “N/A” and explain why.

Marketing

Link to drafts of marketing content that will describe and promote this feature, including product page changes, technical articles, blog posts, videos, etc., if applicable

Automation tests

• Unit tests

  Code coverage information

• Integration tests

  Details about the test cases and coverage

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes/no
• Ran FindSecurityBugs plugin and verified report? yes/no
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes/no

Samples

Provide high-level details about the samples related to this feature

Related PRs

List any other related PRs

Migrations (if applicable)

Describe migration steps and platforms on which migration has been tested

Test environment

List all JDK versions, operating systems, databases, and browser/versions on which this feature/fix was tested

Learning

Describe the research phase and any blog posts, patterns, libraries, or add-ons you used to solve the problem.

Summary by CodeRabbit

• Chores
  • Updated Netty dependency to version 4.1.127.Final
  • Updated Apache Commons Lang3 dependency to version 3.18.0

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 027642f3-97e4-45a9-8e23-cf4a9b50ebce

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

This change updates dependency versions for Netty (4.1.127.Final) and Commons Lang3 (3.18.0) in the parent POM, while modifying the feature build configuration to copy Commons Lang3 into a lib/launcher directory and include it via build resources instead of as a P2 bundle.

Changes

Cohort / File(s)	Summary
Feature Build Configuration features/org.wso2.msf4j.feature/pom.xml	Added build resource for lib directory, introduced maven-dependency-plugin to copy commons-lang3 artifact during package phase, and removed commons-lang3 from P2 bundles list with comment indicating lib/launcher classpath provision.
Dependency Version Updates poms/parent/pom.xml	Updated netty.version to 4.1.127.Final and apache.commons.lang3.version to 3.18.0 in dependency management properties.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A hop through dependencies, we bound,
Netty springs ahead with a newer sound,
Commons Lang3 takes the scenic route,
Through lib/launcher paths we compute,
Build and bundle dance a new duet! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete, containing only template placeholders with minimal concrete information. The 'Purpose' field shows only '$ subject' rather than actual problem description or issue links.	Fill in all required sections with concrete details: purpose (what problems are addressed, link to issues), goals, approach, release notes, and security/testing information. Replace template placeholders with actual content.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Bump lang3 and netty versions' accurately and directly describes the main change—updating Apache Commons Lang3 and Netty dependency versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@poms/parent/pom.xml`:
- Line 794: The POM defines netty.version as 4.1.127.Final which is vulnerable;
update the netty.version Maven property to 4.1.129.Final (or later) to address
CVE-2025-67735, ensure any modules referencing the netty.version property
(search for netty.version) inherit the new value, keep netty-tcnative at
2.0.54.Final (it remains compatible), then rebuild and run tests to verify
compatibility.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 11083791-57e0-43f6-af61-4286cc419d22

📥 Commits

Reviewing files that changed from the base of the PR and between 0561094 and 844120f.

📒 Files selected for processing (2)

• features/org.wso2.msf4j.feature/pom.xml
• poms/parent/pom.xml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if Netty 4.1.127.Final exists on Maven Central
curl -s "https://repo1.maven.org/maven2/io/netty/netty-common/4.1.127.Final/netty-common-4.1.127.Final.pom" -o /dev/null -w "%{http_code}"
echo ""

# Check for Netty security advisories via GitHub
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: MAVEN, package: "io.netty:netty-common") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: wso2/msf4j

Length of output: 218

---

🌐 Web query:

Netty 4.1.127 security vulnerabilities CVE

💡 Result:

Netty 4.1.127.Final includes fixes for CVE-2025-58056 and CVE-2025-58057, which were addressed in the prior 4.1.125.Final release. It has a known vulnerability: CVE-2025-67735 (CRLF injection in HttpRequestEncoder), affecting versions before 4.1.129.Final. Upgrade to 4.1.129.Final or later to resolve it. No other CVEs specifically affect this exact version; older CVEs (e.g., request smuggling from 2019-2021) were fixed in much earlier releases.

Citations:

• 1: https://security.snyk.io/package/maven/io.netty%3Anetty-codec-http/4.1.127.Final
• 2: https://netty.io/news/2025/09/08/4-1-127-Final.html
• 3: GHSA-3p8m-j85q-pgmj
• 4: https://netty.io/news/2025/12/11/4-1-129-Final.html
• 5: https://nvd.nist.gov/vuln/detail/cve-2025-58057
• 6: https://nvd.nist.gov/vuln/detail/CVE-2025-58056
• 7: https://github.com/netty/netty/security/advisories
• 8: https://www.opencve.io/cve?vendor=netty

---

🌐 Web query:

netty-tcnative 2.0.54 compatible Netty versions

💡 Result:

netty-tcnative 2.0.54.Final is compatible with Netty 4.1.86.Final and likely other Netty 4.1.x versions around that time (Netty 4.1.80+). This is evidenced by real-world usage where users upgraded to netty-tcnative 2.0.54.Final alongside Netty 4.1.86.Final without inherent version incompatibility (though they faced a missing dependency issue resolved by adding netty-tcnative-classes). Netty treats tcnative as an internal dependency, and compatibility is generally maintained across minor releases within the 4.1 series, as per project maintainers' statements on backward compatibility for recent versions. No official compatibility matrix was found, but practical evidence and project practices support broad 4.1.x compatibility. For official confirmation, check the netty-tcnative GitHub tags or Netty BOM aligned versions.

Citations:

• 1: Issue encountered in tcnative 2.0.54.Final java.lang.ClassNotFoundException: io.netty.internal.tcnative.SSLPrivateKeyMethod netty/netty-tcnative#765
• 2: tcnative compatibility netty/netty-tcnative#366
• 3: https://github.com/netty/netty/wiki/Forked-Tomcat-Native
• 4: https://netty.io/wiki/requirements-for-4.x.html

---

🏁 Script executed:

# Check the pom.xml for context on netty-tcnative dependency
fd pom.xml | head -5

Repository: wso2/msf4j

Length of output: 238

---

🏁 Script executed:

head -800 poms/parent/pom.xml | tail -20

Repository: wso2/msf4j

Length of output: 1330

---

🏁 Script executed:

# Also check around line 795 to see netty-tcnative version
sed -n '790,800p' poms/parent/pom.xml

Repository: wso2/msf4j

Length of output: 667

---

Upgrade Netty to 4.1.129.Final or later to address CVE-2025-67735.

Netty 4.1.127.Final has a known vulnerability (CVE-2025-67735 - CRLF injection in HttpRequestEncoder). Upgrade to 4.1.129.Final or later. The netty-tcnative 2.0.54.Final dependency remains compatible with the updated version.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@poms/parent/pom.xml` at line 794, The POM defines netty.version as
4.1.127.Final which is vulnerable; update the netty.version Maven property to
4.1.129.Final (or later) to address CVE-2025-67735, ensure any modules
referencing the netty.version property (search for netty.version) inherit the
new value, keep netty-tcnative at 2.0.54.Final (it remains compatible), then
rebuild and run tests to verify compatibility.