fix(deps): update dependency org.hibernate:hibernate-core to v5 [security]#2940
Closed
renovate[bot] wants to merge 1 commit into
Closed
fix(deps): update dependency org.hibernate:hibernate-core to v5 [security]#2940renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
3 tasks
bjagg
added a commit
that referenced
this pull request
Apr 27, 2026
Problem: Renovate keeps opening major-bump PRs (Spring 5/6, Spring Security 5+, Hibernate 5+) because the Maven Central versions newer than what we pin in gradle.properties show up as available, and [security] flags in those PRs amplify the noise. Each major is a coordinated migration we are not ready for, and we close them by hand every cycle. Recent examples: #2937, #2940, #2941, #2942. Goal: encode the migration constraints in renovate.json so Renovate stops offering majors that won't be merged. Stays consistent with the same pinning pattern applied across the portlet repos in the recent sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet, NotificationPortlet, etc.). Changes: - renovate.json: add three packageRules entries with allowedVersions - org.springframework:* / .data:* / .webflow:* → < 5.0 (Spring 5+ requires a coordinated API migration; Spring 6+ adds Jakarta EE + Java 17 on top.) - org.springframework.security:* / .oauth:* → < 5.0 (Bound to the Spring Framework 4.3.x line; moves in lockstep.) - org.hibernate:* / org.hibernate.orm:* → < 5.0 (Hibernate 5+ has API + EntityManager changes; 6+ renames the groupId and needs Jakarta EE + Java 17.) Notes: did not pin Spring LDAP (2.x is current line, 2.4.4 bump in #2938 is a minor), Springfox (2.10.0 bump in #2935 is also a minor), or Guava (#2939 to v32 is plausible — resource-server already runs guava 32). These can flow through normally. Closes #2937, #2940 (duplicates). Closes #2941, #2942 (won't migrate this release). Refs #2938, #2935, #2939 (allowed to proceed normally).
Member
|
Closing — superseded by #2948 which pins Spring/Hibernate to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.2.21.Final→5.3.20.FinalWarning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
SQL injection in hibernate-core
CVE-2020-25638 / GHSA-j8jw-g6fq-mp7h
More information
Details
A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
SQL Injection in Hibernate ORM
CVE-2019-14900 / GHSA-8grg-q944-cch5
More information
Details
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
hibernate/hibernate-orm (org.hibernate:hibernate-core)
v5.0.2.Final: Second bug-fix release for 5.0Compare Source
The complete list of changes can be found here.
For information on consuming the release into your build via your favorite dependency-management-capable build tool, see http://hibernate.org/orm/downloads/.
For those of you allergic to dependency-management-capable build tools, the release bundles can be obtained from SourceForge or BinTray.
v5.0.1.Final: First bug-fix release for 5.0Compare Source
The complete list of changes can be found here.
For information on consuming the release into your build via your favorite dependency-management-capable build tool, see http://hibernate.org/orm/downloads/.
For those of you allergic to dependency-management-capable build tools, the release bundles can be obtained from SourceForge or BinTray.
v5.0.0.Final: 5.0.0 has gone Final!Compare Source
Today I have released Hibernate ORM 5.0 (5.0.0.Final). This has been a long time coming and is the result
of the efforts of many folks. Thanks to everyone who helped us get here with fixes, bug reports, suggestions,
input and encouragement!
A lot of development has gone into 5.0. Here are the big points:
New bootstrap API
The venerable way to bootstrap Hibernate (build a SessionFactory) has been to use its Configuration class.
Configuration, historically, allowed users to iteratively add settings and mappings in any order and to query the
state of settings and mapping information in the middle of that process. Which meant that building the mapping
information could not effectively rely on any settings being available. This lead to many limitations and problems.
5.0 introduces a new bootstrapping API aimed at alleviating those limitations and problems, while allowing
better determinism and better integration. See the Bootstrap chapter in the User Guide for details on using
the new API.
Configuration is still available for use, although in a limited sense. Some of its methods have been removed. Under
the covers Configuration makes use of the new bootstrap API.
Spatial/GIS support
Hibernate Spatial is a project that has been around for a number of years. Karel Maesen has done an amazing job
with it.
Starting in 5.0 Hibernate Spatial is now part of the Hibernate project proper to allow it to better keep up with
upstream development. It is available as
org.hibernate:hibernate-spatial. If your application has need forGIS data, we highly recommend giving hibernate-spatial a try.
Java 8 support
Well, ok.. not all of Java 8. Specifically we have added support for Java 8 Date and Time API in regards to easily mapping
attributes in your domain model using the Java 8 Date and Time API types to the database. This support is available
under the dedicated hibernate-java8 artifact (to isolate Java 8 dependencies). For additional information, see
the Basic Types chapter in the Domain Model Mapping Guide.
Expanded AUTO id generation support
JPA defines support for GenerationType#AUTO limited to just Number types. Starting in 5.0 Hibernate offers expandable support for a broader
set of types, including built-in support for both Number types (Integer, Long, etc) and UUID. Users are also free to plug
in custom strategies for interpreting GenerationType#AUTO via the new
org.hibernate.boot.model.IdGeneratorStrategyInterpreterextension.Naming strategy split
NamingStrategy has been removed in favor of a better designed API. 2 distinct ones actually:
org.hibernate.boot.model.naming.ImplicitNamingStrategy- used whenever a table or column is not explicitly named to determine the name to useorg.hibernate.boot.model.naming.PhysicalNamingStrategy- used to convert a "logical name" (either implicit or explicit) name of a table or columninto a physical name (e.g. following corporate naming guidelines)
Attribute Converter support
5.0 offers significantly improved support for JPA 2.1 AttributeConverters:
Better "bulk id table" support
Support for "bulk id tables" has been completely redesigned to better fit what different databases support.
Transaction management
The transaction SPI underwent a major redesign as part of 5.0 as well. From a user perspective this generally
only comes into view in terms of configuration. Previously applications would work with the different backend
transaction stratagies directly via the
org.hibernate.TransactionAPI. In 5.0 a level of indirection has beenadded here. The API implementation of
org.hibernate.Transactionis always the same now. On the backend, theorg.hibernate.Transactionimpl talks to aorg.hibernate.resource.transaction.TransactionCoordinatorwhich representsthe "transactional context" for a given Session according to the backend transaction strategy. Users generally do not
need to care about the distinction.
The change is noted here because it might affect your bootstrap configuration. Whereas previously applications would
specify
hibernate.transaction.factory_classand refer to aorg.hibernate.engine.transaction.spi.TransactionFactoryFQN,with 5.0 the new contract is
org.hibernate.resource.transaction.TransactionCoordinatorBuilderand is specified using thehibernate.transaction.coordinator_classsetting. Seeorg.hibernate.cfg.AvailableSettings.TRANSACTION_COORDINATOR_STRATEGYJavaDocs for additional details.
The following short-names are recognized:
jdbc::(the default) says to use JDBC-based transactions (org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl)jta::says to use JTA-based transactions (org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl)See the User Guide for additional details.
Schema Tooling
5.0 offers much improvement in the area of schema tooling (export, validation and migration).
Typed Session API
Hibernate's native APIs (Session, etc) have been updated to be typed. No more casting!
Improved OSGi support
Really this started with a frustration over the fragility of hibernate-osgi tests. The first piece was a better testing setup using
Pax Exam and Karaf. This lead to us generating (and now publishing!) a Hibernate Karaf features file.
OSGi support has undergone some general improvement as well thanks to feedback from some Karaf and Pax developers and users.
See the Getting Started Guide for additional details on using the new Karaf features file.
Improved bytrecode enhancement capabilities
Work on documentation
A lot of work has gone into the documentation for 5.0. Its still not complete (is documentation ever "complete"?), but it is much improved.
See the revamped http://hibernate.org/orm/documentation/5.0[documentation page] for details.
BinTray
For now the plan is to publish the release bundles (zip and tgz) to BinTray. We will continue to publish to SourceForge as well. For the time being
we will publish the bundles to both.
Ultimately we will start to publish the "maven" artifacts there as well.
This is all a work in progress.
How to get it
See http://hibernate.atlassian.net/projects/HHH/versions/20851 for the complete list of changes.
See http://hibernate.org/orm/downloads/ for information on obtaining the releases.
v4.3.11.FinalCompare Source
v4.3.10.FinalCompare Source
v4.3.9.FinalCompare Source
v4.3.8.FinalCompare Source
v4.3.7.FinalCompare Source
v4.3.6.FinalCompare Source
v4.3.5.FinalCompare Source
v4.3.4.FinalCompare Source
v4.3.3.FinalCompare Source
v4.3.2.FinalCompare Source
v4.3.1.Final: ReleaseCompare Source
See the details at http://in.relation.to/Bloggers/HibernateORM431FinalRelease. See http://hibernate.org/orm/downloads/ for information on getting the artifacts.
v4.3.0.FinalCompare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.