Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-15038759
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 8
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| <properties> | ||
| <spring.version>3.2.15.RELEASE</spring.version> | ||
| <hibernate.version>4.3.7.Final</hibernate.version> | ||
| <hibernate.version>5.3.38.Final</hibernate.version> |
There was a problem hiding this comment.
Hibernate 5.3 requires Java 8 but project targets Java 7
High Severity
Upgrading hibernate.version to 5.3.38.Final introduces a Java version incompatibility. Hibernate 5.x requires Java 8+, but this project is configured to compile with <source>1.7</source> and <target>1.7</target>. The project's source code will compile successfully, but the application will fail at runtime with UnsupportedClassVersionError when the JVM attempts to load Hibernate classes (which contain Java 8 bytecode) on a Java 7 runtime. The Java version configuration in the build settings needs to be updated to at least Java 8.
| <properties> | ||
| <spring.version>3.2.15.RELEASE</spring.version> | ||
| <hibernate.version>4.3.7.Final</hibernate.version> | ||
| <hibernate.version>5.3.38.Final</hibernate.version> |
There was a problem hiding this comment.
JPA API version conflict with Hibernate 5.3 upgrade
Medium Severity
The Hibernate upgrade to 5.3.38.Final creates a JPA API version conflict. The project explicitly depends on hibernate-jpa-2.0-api (JPA 2.0) in todolist-core/pom.xml, but Hibernate 5.3 transitively brings in javax.persistence-api 2.2. Having two different versions of javax.persistence.* classes on the classpath can cause runtime errors like NoSuchMethodError or ClassNotFoundException when JPA 2.2-specific methods or behaviors are expected by Hibernate but the JPA 2.0 API classes get loaded first.
Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGHIBERNATE-15038759
4.3.7.Final->5.3.38.Finalorg.hibernate:hibernate-entitymanager:
4.3.7.Final->5.3.38.FinalMajor version upgradeProof of ConceptImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection
Note
Upgrades the parent Maven
hibernate.versionproperty, impacting all modules that inherit it.hibernate.versionin rootpom.xmlfrom4.3.7.Finalto5.3.38.Final(affectinghibernate-core/hibernate-entitymanagerresolves via property)Written by Cursor Bugbot for commit e489c0e. This will update automatically on new commits. Configure here.