Skip to content

Bump storm-client.version from 2.8.6 to 2.8.7#1887

Merged
jnioche merged 1 commit intomainfrom
dependabot/maven/storm-client.version-2.8.7
Apr 27, 2026
Merged

Bump storm-client.version from 2.8.6 to 2.8.7#1887
jnioche merged 1 commit intomainfrom
dependabot/maven/storm-client.version-2.8.7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Bumps storm-client.version from 2.8.6 to 2.8.7.
Updates org.apache.storm:storm-client from 2.8.6 to 2.8.7

Release notes

Sourced from org.apache.storm:storm-client's releases.

Apache Storm 2.8.7 has been released. This release includes critical security fixes, library updates, and documentation improvements. The community strongly encourages all users of previous versions to upgrade to this release.

⚠️ Security Fixes

  • CVE-2026-40557: JVM-wide TLS Security Downgrade in Prometheus Reporter
    • Versions Affected: 2.6.3 to 2.8.6.
    • Technical Description: Enabling the skip_tls_validation configuration in the Prometheus Reporter caused an improper certificate validation that replaced the default SSL context. This resulted in a JVM-wide TLS security downgrade, affecting all components within the same process.
    • Fix: The reporter now uses a scoped SSL context for validation bypass, ensuring the default JVM SSL context remains secure.
  • CVE-2026-41081: Improper Handling of TLS Client Authentication Failures
    • Versions Affected: All versions before 2.8.7.
    • Technical Description: When TLS client authentication was enabled, failed authentication attempts were incorrectly assigned a fallback "ANONYMOUS" principal. This allowed unauthorized users to potentially bypass authorization checks that relied on the presence of a principal.
    • Fix: Connections are now strictly rejected if TLS client authentication fails or is missing when required.

🐛 Bug Fixes

  • #8518 - Cache busting is broken - ${packageTimestamp} is never substituted in HTML resources.
  • #8516 - Hardening: clean up TlsTransportPlugin and surface unverified peers.
  • #8515 - Profiling/debugging REST endpoints should use POST instead of GET.
  • #8533 - flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc.
  • #8532 - storm-client: fix 'accross' -> 'across' in Stream.java Javadoc.
  • #8531 - storm-core: fix 'seperate' -> 'separate' in configuration.h comment.
  • #8530 - docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc.
  • #8529 - docs: fix 'recieved' -> 'received' in IAutoCredentials Javadoc.

📦 Dependency Upgrades

Dependency From To PR
com.google.guava:guava 33.5.0-jre 33.6.0-jre #8526
org.apache.commons:commons-configuration2 2.13.0 2.14.0 #8525
org.bouncycastle (bouncycastle.version) 1.83 1.84 #8524
org.rocksdb:rocksdbjni 10.10.1 10.10.1.1 #8523
org.jgrapht:jgrapht-core 0.9.0 1.5.3 #8522
org.apache.hbase:hbase-client 2.6.4-hadoop3 2.6.5-hadoop3 #8520
follow-redirects (storm-webapp) 1.15.11 1.16.0 #8519
axios (storm-webapp) 1.13.6 1.15.0 #8511
org.apache.activemq:activemq-client 6.2.3 6.2.4 #8508
org.apache.activemq:activemq-broker 6.2.3 6.2.4 #8507
org.apache.activemq:activemq-all 6.2.3 6.2.4 #8506
org.apache.activemq:activemq-mqtt 6.2.3 6.2.4 #8505

📝 Contributors

... (truncated)

Commits
  • db9cce5 [maven-release-plugin] prepare release v2.8.7
  • c9087ca storm-core: fix 'seperate' -> 'separate' in configuration.h comment
  • 7423651 docs: fix 'occured' -> 'occurred' in LocallyCachedBlob Javadoc
  • a2caed9 storm-client: fix 'accross' -> 'across' in Stream.java Javadoc
  • 820eaaf flux: fix 'recieveed' -> 'received' in LogInfoBolt Javadoc
  • c09f03a security: fix 'recieved' -> 'received' in IAutoCredentials Javadoc
  • a023ef5 Regenerate license files after dependency changes
  • 046cab5 Upgrade to JGraphT 1.5.3
  • 6b32b2f Bump org.jgrapht:jgrapht-core from 0.9.0 to 1.5.3
  • 4d748f3 Regenerate license files after dependency changes
  • Additional commits viewable in compare view

Updates org.apache.storm:storm-hdfs from 2.8.6 to 2.8.7

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump storm-client.version from 2.8.6 to 2.8.7
9498b54 
Bumps `storm-client.version` from 2.8.6 to 2.8.7.

Updates `org.apache.storm:storm-client` from 2.8.6 to 2.8.7
- [Release notes](https://github.com/apache/storm/releases)
- [Commits](apache/storm@v2.8.6...v2.8.7)

Updates `org.apache.storm:storm-hdfs` from 2.8.6 to 2.8.7

---
updated-dependencies:
- dependency-name: org.apache.storm:storm-client
  dependency-version: 2.8.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
- dependency-name: org.apache.storm:storm-hdfs
  dependency-version: 2.8.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Apr 27, 2026
@jnioche jnioche added this to the 3.6.0 milestone Apr 27, 2026
@jnioche jnioche merged commit 5e8c144 into main Apr 27, 2026
2 checks passed
@jnioche jnioche deleted the dependabot/maven/storm-client.version-2.8.7 branch April 27, 2026 09:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jnioche jnioche jnioche approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

3.6.0

Development

Successfully merging this pull request may close these issues.

1 participant

@jnioche