chore(deps): bump artemis-jakarta 2.44.0 → 2.54.0 and migrate groupId to org.apache.artemis#24049
Open
stian-sandvold wants to merge 1 commit into
Open
chore(deps): bump artemis-jakarta 2.44.0 → 2.54.0 and migrate groupId to org.apache.artemis#24049stian-sandvold wants to merge 1 commit into
stian-sandvold wants to merge 1 commit into
Conversation
…d to org.apache.artemis Artemis moved to its own Apache top-level project and migrated its Maven groupId from org.apache.activemq to org.apache.artemis as of 2.50.0. The old coordinates are now relocation stubs, so bumping the version alone makes dependency:analyze fail (declared org.apache.activemq:* vs resolved org.apache.artemis:*). This updates the groupId at all declarations and the analyze ignore entries. Also fixes CVE-2026-27446 (missing authentication in Core protocol federation), which affects Artemis 2.11.0-2.44.0 and is fixed in 2.52.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
enricocolasante
approved these changes
Jun 1, 2026
jbee
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Bumps
artemis-jakarta.versionfrom 2.44.0 → 2.54.0 and migrates the Artemis Maven groupId fromorg.apache.activemqtoorg.apache.artemis.This supersedes the Dependabot PR #23903, which bumped only the version. That bump fails the
unit-testcheck because of the groupId change described below — so the version and the groupId need to move together.Why the groupId change is needed
Apache Artemis became its own Apache top-level project and migrated its Maven coordinates from
org.apache.activemqtoorg.apache.artemisstarting in 2.50.0. The old coordinates are still published, but only as relocation stubs that point at the new ones.The consequence: with just the version bump, we still declare
org.apache.activemq:*while Maven resolves the relocatedorg.apache.artemis:*artifacts.dependency:analyzethen fails thedhis-support-artemismodule — it sees the new coordinates as "used but undeclared" and the old ones as "unused declared", and the existing analyze ignore entries (pinned to the old groupId) no longer match.This PR updates the groupId at every declaration and in the three analyze ignore entries, which is the change the upstream migration asks consumers to make. Artemis keeps full package & code compatibility across the move, so there are no Java/API changes — only Maven coordinates.
Security
This upgrade also fixes CVE-2026-27446 (CWE-306, missing authentication for a critical function — CVSS 9.8). An unauthenticated client using the Core protocol could force the broker to open an outbound federation connection to a rogue broker, enabling message injection/exfiltration. It affects Artemis 2.11.0–2.44.0 and is fixed in 2.52.0. Exposure here is limited because the broker is embedded, but the fix is worth having.
Notes on 2.54.0 release changes
The breaking items in the 2.50→2.54 notes don't apply to our embedded usage: Docker image path change, deprecated (non-functional) HTTP transport params, deprecated
addSecuritySettingsmanagement methods, and defaultbroker.xmlsecurity-setting clarifications.Testing
dependency:analyzeondhis-support-artemispasses (the failure Dependabot's bump hit).org.apache.artemis:*:2.54.0and all Netty artifacts stay aligned at 4.2.13.Final.🤖 Generated with Claude Code