Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHESTRUTS-14915536
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 25
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| <hibernate.version>4.3.7.Final</hibernate.version> | ||
| <tapestry.version>5.3.8</tapestry.version> | ||
| <struts2.version>2.3.20</struts2.version> | ||
| <struts2.version>6.1.1</struts2.version> |
There was a problem hiding this comment.
Major version upgrade breaks compilation and runtime
High Severity
The Struts upgrade from 2.3.20 to 6.1.1 is a breaking major version change that will cause compilation and runtime failures. The codebase imports com.opensymphony.xwork2.* classes (e.g., ActionSupport, ActionContext, Preparable) which were migrated to org.apache.struts2.* in Struts 6.x. Multiple action classes depend on these packages. Additionally, the project targets Java 1.7 but Struts 6.x requires Java 8 minimum. The struts.xml also references the outdated struts-2.0.dtd DTD.
| <hibernate.version>4.3.7.Final</hibernate.version> | ||
| <tapestry.version>5.3.8</tapestry.version> | ||
| <struts2.version>2.3.20</struts2.version> | ||
| <struts2.version>6.1.1</struts2.version> |
There was a problem hiding this comment.
Struts filter class path changed in version 6
High Severity
The version upgrade causes the Struts filter configuration in web.xml to fail. The web.xml references org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter, but Struts 6.x moved this class to org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter (removed the .ng. package segment). This will cause a ClassNotFoundException at application startup, preventing deployment.
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
todolist-goof/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGAPACHESTRUTS-14915536
2.3.20->6.1.1org.apache.struts:struts2-spring-plugin:
2.3.20->6.1.1Major version upgradeNo Path FoundNo Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Dependency upgrade
struts2.versionfrom2.3.20to6.1.1intodolist-goof/pom.xml.Written by Cursor Bugbot for commit 8670f21. This will update automatically on new commits. Configure here.