Skip to content

[Snyk] Upgrade org.hibernate:hibernate-core from 5.3.10.Final to 5.6.15.Final#5

Open
ryanmcmorrowsnyk wants to merge 1 commit into
mainfrom
snyk-upgrade-5da1b4422e2828339f29cd2d1ffb6721
Open

[Snyk] Upgrade org.hibernate:hibernate-core from 5.3.10.Final to 5.6.15.Final#5
ryanmcmorrowsnyk wants to merge 1 commit into
mainfrom
snyk-upgrade-5da1b4422e2828339f29cd2d1ffb6721

Conversation

@ryanmcmorrowsnyk

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to upgrade org.hibernate:hibernate-core from 5.3.10.Final to 5.6.15.Final.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 98 versions ahead of your current version.

  • The recommended version was released 3 years ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity XML External Entity (XXE) Injection
SNYK-JAVA-ORGDOM4J-565810
300 No Known Exploit
high severity SQL Injection
SNYK-JAVA-ORGHIBERNATE-1041788
300 No Known Exploit
high severity SQL Injection
SNYK-JAVA-ORGHIBERNATE-15038759
300 Proof of Concept
high severity SQL Injection
SNYK-JAVA-ORGHIBERNATE-584563
300 No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

….Final

Snyk has created this PR to upgrade org.hibernate:hibernate-core from 5.3.10.Final to 5.6.15.Final.

See this package in maven:
org.hibernate:hibernate-core

See this project in Snyk:
https://app.snyk.io/org/dev-team-1-GXHHqjKkdZpkvhZpMAbvFF/project/c0084c67-dd3e-4f7c-b3b5-cb4b40911bd5?utm_source=github&utm_medium=referral&page=upgrade-pr
@ryanmcmorrowsnyk

Copy link
Copy Markdown
Owner Author

Merge Risk: High

The upgrade from Hibernate Core 5.3.10.Final to 5.6.15.Final spans multiple minor versions and introduces several significant breaking changes that require code and potentially database schema modifications.

Key Breaking Changes:

  • Removal of Positional JDBC Parameters: Support for positional ? parameters in queries has been removed. All queries must be updated to use named parameters (e.g., :paramName). [1]
  • Cache RegionAccessStrategy API: The RegionAccessStrategy interface and related access strategy classes, which are used for custom second-level cache implementations, have been replaced. [1] If your application implements custom caching strategies, they will need to be updated to the new API.
  • PostgreSQL CLOB Data Type Change: For PostgreSQL users, the default DDL type for columns annotated with @Lob or of type java.sql.Clob has changed from text to oid starting in version 5.6.2. [5] This was done to prevent potential data loss. While existing schemas will continue to work, it is highly recommended to migrate the data type of affected columns to oid. [5]
  • Bytecode Enhancement: The underlying provider for bytecode enhancement has changed. Javassist support was removed in version 5.6, leaving Byte Buddy as the sole provider. [6] Additionally, "enhancement-as-proxy" is enabled by default in version 5.5, which could lead to subtle behavioral changes. [2]

Recommendation:
This upgrade requires careful review and code modification. Developers should:

  1. Audit all native and HQL/JPQL queries to replace positional ? parameters with named parameters.
  2. Review any custom cache implementations for compatibility with the updated RegionAccessStrategy API.
  3. If using PostgreSQL, plan a migration for existing CLOB columns from text to oid to prevent future data loss.

Source: Hibernate Migration Guides, Release Announcements

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants