Merge pull request #14534 from thingsboard/rc

rc

common/queue/pom.xml

@@ -69,7 +69,7 @@
             <artifactId>kafka-clients</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.lz4</groupId>
+            <groupId>at.yawk.lz4</groupId>
             <artifactId>lz4-java</artifactId>
         </dependency>
         <dependency>

msa/js-executor/package.json

@@ -15,7 +15,7 @@
   "dependencies": {
     "config": "^4.1.1",
     "express": "^5.1.0",
-    "js-yaml": "^4.1.0",
+    "js-yaml": "^4.1.1",
     "kafkajs": "^2.2.4",
     "long": "^5.3.2",
     "uuid-parse": "^1.1.0",

msa/js-executor/yarn.lock

@@ -945,10 +945,10 @@ isarray@~1.0.0:
   resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
   integrity sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==
 
-js-yaml@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
-  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+js-yaml@^4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.1.tgz#854c292467705b699476e1a2decc0c8a3458806b"
+  integrity sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==
   dependencies:
     argparse "^2.0.1"
 
@@ -1533,9 +1533,9 @@ supports-preserve-symlinks-flag@^1.0.0:
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
 tar-fs@^2.0.0, tar-fs@^2.1.1:
-  version "2.1.3"
-  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.3.tgz#fb3b8843a26b6f13a08e606f7922875eb1fbbf92"
-  integrity sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==
+  version "2.1.4"
+  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.4.tgz#800824dbf4ef06ded9afea4acafe71c67c76b930"
+  integrity sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==
   dependencies:
     chownr "^1.1.1"
     mkdirp-classic "^0.5.2"

msa/web-ui/package.json

@@ -19,7 +19,7 @@
     "express": "^5.1.0",
     "http": "0.0.0",
     "http-proxy": "^1.18.1",
-    "js-yaml": "^4.1.0",
+    "js-yaml": "^4.1.1",
     "winston": "^3.17.0",
     "winston-daily-rotate-file": "^5.0.0"
   },

msa/web-ui/yarn.lock

@@ -1017,10 +1017,10 @@ isarray@~1.0.0:
   resolved "https://registry.yarnpkg.com/isarray/-/isarray-1.0.0.tgz#bb935d48582cba168c06834957a54a3e07124f11"
   integrity sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==
 
-js-yaml@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.0.tgz#c1fb65f8f5017901cdd2c951864ba18458a10602"
-  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
+js-yaml@^4.1.1:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.1.tgz#854c292467705b699476e1a2decc0c8a3458806b"
+  integrity sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==
   dependencies:
     argparse "^2.0.1"
 
@@ -1615,9 +1615,9 @@ supports-preserve-symlinks-flag@^1.0.0:
   integrity sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==
 
 tar-fs@^2.0.0, tar-fs@^2.1.1:
-  version "2.1.3"
-  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.3.tgz#fb3b8843a26b6f13a08e606f7922875eb1fbbf92"
-  integrity sha512-090nwYJDmlhwFwEW3QQl+vaNnxsO2yVsd45eTKRBzSzu+hlb1w2K9inVq5b0ngXuLVqQ4ApvsUHHnu/zQNkWAg==
+  version "2.1.4"
+  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-2.1.4.tgz#800824dbf4ef06ded9afea4acafe71c67c76b930"
+  integrity sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==
   dependencies:
     chownr "^1.1.1"
     mkdirp-classic "^0.5.2"

pom.xml

@@ -86,7 +86,7 @@
         org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
         Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
         <kafka.version>3.9.1</kafka.version>
-        <lz4.version>1.8.1</lz4.version> <!-- to fix CVE-2025-12183 introduced through kafka-clients 3.9.1 TODO: remove when kafka-clients is bumped -->
+        <lz4.version>1.10.1</lz4.version> <!-- to fix CVE-2025-12183 and CVE-2025-66566 introduced through kafka-clients 3.9.1 TODO: remove when kafka-clients is bumped -->
         <bucket4j.version>8.10.1</bucket4j.version>
         <antlr.version>3.5.3</antlr.version>
         <snakeyaml.version>2.2</snakeyaml.version>
@@ -102,7 +102,7 @@
 
         <passay.version>1.6.4</passay.version>
         <ua-parser.version>1.6.1</ua-parser.version>
-        <commons-beanutils.version>1.9.4</commons-beanutils.version>
+        <commons-beanutils.version>1.11.0</commons-beanutils.version>
         <commons-collections.version>4.4</commons-collections.version>
         <protobuf-dynamic.version>1.0.4TB</protobuf-dynamic.version>
         <wire-schema.version>3.7.1</wire-schema.version>
@@ -147,7 +147,7 @@
         <firebase-admin.version>9.2.0</firebase-admin.version>
         <snappy.version>1.1.10.5</snappy.version>
         <rocksdbjni.version>9.10.0</rocksdbjni.version>
-        <netty.version>4.1.125.Final</netty.version> <!-- to fix CVEs. TODO: remove when fixed in spring-boot-dependencies -->
+        <netty.version>4.1.128.Final</netty.version> <!-- to fix CVEs. TODO: remove when fixed in spring-boot-dependencies -->
     </properties>
 
     <modules>
@@ -1162,7 +1162,7 @@
                 </exclusions>
             </dependency>
             <dependency>
-                <groupId>org.lz4</groupId>
+                <groupId>at.yawk.lz4</groupId>
                 <artifactId>lz4-java</artifactId>
                 <version>${lz4.version}</version> <!-- to fix CVE introduced through kafka-clients 3.9.1 -->
             </dependency>
@@ -1445,6 +1445,12 @@
                 <groupId>org.apache.cassandra</groupId>
                 <artifactId>cassandra-all</artifactId>
                 <version>${cassandra-all.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.lz4</groupId>
+                        <artifactId>lz4-java</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
             <dependency>
                 <groupId>org.testng</groupId>

rule-engine/rule-engine-components/pom.xml

@@ -97,7 +97,7 @@
             <artifactId>kafka-clients</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.lz4</groupId>
+            <groupId>at.yawk.lz4</groupId>
             <artifactId>lz4-java</artifactId>
         </dependency>
         <dependency>

tools/pom.xml

@@ -55,6 +55,10 @@
             <groupId>org.apache.cassandra</groupId>
             <artifactId>cassandra-all</artifactId>
         </dependency>
+        <dependency>
+            <groupId>at.yawk.lz4</groupId>
+            <artifactId>lz4-java</artifactId>
+        </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>

ui-ngx/patches/@angular+common+18.2.13.patch

@@ -0,0 +1,66 @@
+diff --git a/node_modules/@angular/common/esm2022/http/src/xsrf.mjs b/node_modules/@angular/common/esm2022/http/src/xsrf.mjs
+index da69c17..d17f6ad 100755
+--- a/node_modules/@angular/common/esm2022/http/src/xsrf.mjs
++++ b/node_modules/@angular/common/esm2022/http/src/xsrf.mjs
+@@ -19,6 +19,10 @@ export const XSRF_HEADER_NAME = new InjectionToken(ngDevMode ? 'XSRF_HEADER_NAME
+     providedIn: 'root',
+     factory: () => XSRF_DEFAULT_HEADER_NAME,
+ });
++/**
++ * Regex to match absolute URLs, including protocol-relative URLs.
++ */
++const ABSOLUTE_URL_REGEX = /^(?:https?:)?\/\//i;
+ /**
+  * Retrieves the current XSRF token to use with the next outgoing request.
+  *
+@@ -69,7 +73,6 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "18.2.13", ngImpo
+                     args: [XSRF_COOKIE_NAME]
+                 }] }] });
+ export function xsrfInterceptorFn(req, next) {
+-    const lcUrl = req.url.toLowerCase();
+     // Skip both non-mutating requests and absolute URLs.
+     // Non-mutating requests don't require a token, and absolute URLs require special handling
+     // anyway as the cookie set
+@@ -77,8 +80,7 @@ export function xsrfInterceptorFn(req, next) {
+     if (!inject(XSRF_ENABLED) ||
+         req.method === 'GET' ||
+         req.method === 'HEAD' ||
+-        lcUrl.startsWith('http://') ||
+-        lcUrl.startsWith('https://')) {
++        ABSOLUTE_URL_REGEX.test(req.url)) {
+         return next(req);
+     }
+     const token = inject(HttpXsrfTokenExtractor).getToken();
+diff --git a/node_modules/@angular/common/fesm2022/http.mjs b/node_modules/@angular/common/fesm2022/http.mjs
+index 1655480..d1dbb38 100755
+--- a/node_modules/@angular/common/fesm2022/http.mjs
++++ b/node_modules/@angular/common/fesm2022/http.mjs
+@@ -2352,6 +2352,10 @@ const XSRF_HEADER_NAME = new InjectionToken(ngDevMode ? 'XSRF_HEADER_NAME' : '',
+     providedIn: 'root',
+     factory: () => XSRF_DEFAULT_HEADER_NAME,
+ });
++/**
++ * Regex to match absolute URLs, including protocol-relative URLs.
++ */
++const ABSOLUTE_URL_REGEX = /^(?:https?:)?\/\//i;
+ /**
+  * Retrieves the current XSRF token to use with the next outgoing request.
+  *
+@@ -2402,7 +2406,6 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "18.2.13", ngImpo
+                     args: [XSRF_COOKIE_NAME]
+                 }] }] });
+ function xsrfInterceptorFn(req, next) {
+-    const lcUrl = req.url.toLowerCase();
+     // Skip both non-mutating requests and absolute URLs.
+     // Non-mutating requests don't require a token, and absolute URLs require special handling
+     // anyway as the cookie set
+@@ -2410,8 +2413,7 @@ function xsrfInterceptorFn(req, next) {
+     if (!inject(XSRF_ENABLED) ||
+         req.method === 'GET' ||
+         req.method === 'HEAD' ||
+-        lcUrl.startsWith('http://') ||
+-        lcUrl.startsWith('https://')) {
++        ABSOLUTE_URL_REGEX.test(req.url)) {
+         return next(req);
+     }
+     const token = inject(HttpXsrfTokenExtractor).getToken();

ui-ngx/patches/@angular+compiler+18.2.13.patch

@@ -0,0 +1,88 @@
+diff --git a/node_modules/@angular/compiler/fesm2022/compiler.mjs b/node_modules/@angular/compiler/fesm2022/compiler.mjs
+index a00b189..260e7be 100755
+--- a/node_modules/@angular/compiler/fesm2022/compiler.mjs
++++ b/node_modules/@angular/compiler/fesm2022/compiler.mjs
+@@ -18631,6 +18631,7 @@ function SECURITY_SCHEMA() {
+             'area|ping',
+             'audio|src',
+             'a|href',
++            'a|xlink:href',
+             'a|ping',
+             'blockquote|cite',
+             'body|background',
+@@ -18644,6 +18645,75 @@ function SECURITY_SCHEMA() {
+             'track|src',
+             'video|poster',
+             'video|src',
++
++            // MathML namespace
++            // https://crsrc.org/c/third_party/blink/renderer/core/sanitizer/sanitizer.cc;l=753-768;drc=b3eb16372dcd3317d65e9e0265015e322494edcd;bpv=1;bpt=1
++            'annotation|href',
++            'annotation|xlink:href',
++            'annotation-xml|href',
++            'annotation-xml|xlink:href',
++            'maction|href',
++            'maction|xlink:href',
++            'malignmark|href',
++            'malignmark|xlink:href',
++            'math|href',
++            'math|xlink:href',
++            'mroot|href',
++            'mroot|xlink:href',
++            'msqrt|href',
++            'msqrt|xlink:href',
++            'merror|href',
++            'merror|xlink:href',
++            'mfrac|href',
++            'mfrac|xlink:href',
++            'mglyph|href',
++            'mglyph|xlink:href',
++            'msub|href',
++            'msub|xlink:href',
++            'msup|href',
++            'msup|xlink:href',
++            'msubsup|href',
++            'msubsup|xlink:href',
++            'mmultiscripts|href',
++            'mmultiscripts|xlink:href',
++            'mprescripts|href',
++            'mprescripts|xlink:href',
++            'mi|href',
++            'mi|xlink:href',
++            'mn|href',
++            'mn|xlink:href',
++            'mo|href',
++            'mo|xlink:href',
++            'mpadded|href',
++            'mpadded|xlink:href',
++            'mphantom|href',
++            'mphantom|xlink:href',
++            'mrow|href',
++            'mrow|xlink:href',
++            'ms|href',
++            'ms|xlink:href',
++            'mspace|href',
++            'mspace|xlink:href',
++            'mstyle|href',
++            'mstyle|xlink:href',
++            'mtable|href',
++            'mtable|xlink:href',
++            'mtd|href',
++            'mtd|xlink:href',
++            'mtr|href',
++            'mtr|xlink:href',
++            'mtext|href',
++            'mtext|xlink:href',
++            'mover|href',
++            'mover|xlink:href',
++            'munder|href',
++            'munder|xlink:href',
++            'munderover|href',
++            'munderover|xlink:href',
++            'semantics|href',
++            'semantics|xlink:href',
++            'none|href',
++            'none|xlink:href',
+         ]);
+         registerContext(SecurityContext.RESOURCE_URL, [
+             'applet|code',