fix(deps): update dependency com.microsoft.sqlserver:mssql-jdbc to v12.6.5.jre11 [security] #10201
Conversation
…2.6.5.jre11 [security]
trusted-contributions-gcf
bot
added
the
kokoro:force-run
product-auto-label
bot
added
samples
Summary of ChangesHello @renovate-bot, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request automates the update of the Microsoft SQL Server JDBC driver to its latest patch version. The primary purpose of this update is to incorporate a critical security fix, enhancing the overall security posture of the applications using this driver by mitigating a known spoofing vulnerability. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
kokoro-team
removed
the
kokoro:force-run
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the com.microsoft.sqlserver:mssql-jdbc dependency from 12.6.0.jre11 to 12.6.5.jre11. This is a necessary security update to address CVE-2025-59250. The change itself is correct. I have included one suggestion to improve the project's long-term maintainability by centralizing dependency version management.
| <groupId>com.microsoft.sqlserver</groupId> | ||
| <artifactId>mssql-jdbc</artifactId> | ||
| <version>12.6.0.jre11</version> | ||
| <version>12.6.5.jre11</version> |
There was a problem hiding this comment.
While this version update is correct and necessary, I've noticed that the mssql-jdbc dependency version is hardcoded here and also in cloud-sql/sqlserver/servlet/pom.xml. To improve maintainability and prevent version drift between modules in the future, I recommend centralizing the version management.
A common practice in Maven is to define a property for the version in a parent pom.xml and reference it in child modules.
For example, in a parent pom.xml:
<properties>
<mssql-jdbc.version>12.6.5.jre11</mssql-jdbc.version>
</properties>Then, in this pom.xml and other modules:
<dependency>
<groupId>com.microsoft.sqlserver</groupId>
<artifactId>mssql-jdbc</artifactId>
<version>${mssql-jdbc.version}</version>
</dependency>This is likely out of scope for this automated PR, but it's a good practice to consider for easier future maintenance.
3 participants
This PR contains the following updates:
12.6.0.jre11->12.6.5.jre11Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2025-59250
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.