Merge pull request #245 from contentstack/fix-snyk-issue

Fix snyk issue

Author: reeshika-h

CHANGELOG.md

@@ -1,5 +1,10 @@
 # CHANGELOG
 
+## v2.3.2
+
+### Jan 05, 2026
+- Snyk Fixes
+
 ## v2.3.1
 
 ### Date: 03-Nov-2025

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2012 - 2025 Contentstack
+Copyright (c) 2012 - 2026 Contentstack
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

pom.xml

@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.contentstack.sdk</groupId>
     <artifactId>java</artifactId>
-    <version>2.3.1</version>
+    <version>2.3.2</version>
     <packaging>jar</packaging>
     <name>contentstack-java</name>
     <description>Java SDK for Contentstack Content Delivery API</description>
@@ -20,8 +20,8 @@
         <maven-source-plugin.version>3.3.1</maven-source-plugin.version>
         <maven-javadoc-plugin.version>3.4.1</maven-javadoc-plugin.version>
         <dotenv-source.version>3.0.0</dotenv-source.version>
-        <rxjava-source.version>3.1.10</rxjava-source.version>
-        <retrofit-source.version>2.11.0</retrofit-source.version>
+        <rxjava-source.version>3.1.11</rxjava-source.version>
+        <retrofit-source.version>3.0.0</retrofit-source.version>
         <loggin.version>5.1.0</loggin.version>
         <jococo-plugin.version>0.8.5</jococo-plugin.version>
         <lombok-source.version>1.18.36</lombok-source.version>
@@ -172,12 +172,19 @@
             <artifactId>json-simple</artifactId>
             <version>${json-simple-version}</version>
             <scope>compile</scope>
+            <!-- Exclude junit - it was incorrectly included as compile dep in json-simple -->
+            <exclusions>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.18.2</version>
+            <version>2.19.2</version>
         </dependency>
         <dependency>
             <groupId>com.slack.api</groupId>
@@ -187,7 +194,7 @@
         <dependency>
             <groupId>org.jetbrains</groupId>
             <artifactId>annotations</artifactId>
-            <version>24.0.1</version>
+            <version>26.0.2</version>
         </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
@@ -215,6 +222,34 @@
                 <artifactId>kotlin-stdlib</artifactId>
                 <version>2.1.0</version> 
             </dependency>
+            <!-- Fix CVE-2025-48924: Uncontrolled Recursion in commons-lang3 -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.18.0</version>
+            </dependency>
+            <!-- Fix Spring vulnerabilities from contentstack-utils transitive deps -->
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-core</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-beans</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework</groupId>
+                <artifactId>spring-web</artifactId>
+                <version>6.2.11</version>
+            </dependency>
+            <!-- Fix CVE-2020-15250: junit pulled by json-simple -->
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>4.13.2</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
     <build>

src/test/java/com/contentstack/sdk/TestEntryModel.java

@@ -254,6 +254,7 @@ void testConstructorWithPublishDetails() {
         JSONObject publishDetails = new JSONObject();
         publishDetails.put("environment", "production");
         publishDetails.put("time", "2024-01-01T00:00:00.000Z");
+        // file deepcode ignore NoHardcodedCredentials/test: <please specify a reason of ignoring this>
         publishDetails.put("user", "user123");
 
         JSONObject json = new JSONObject();