How to fix org.projectreactor vulnerabilities on Spring dependencies?

Question

I discovered some vulnerabilities in a Spring project that use dependencies:

reactor-netty-core

reactor-netty-http

The only related import I have in the pom.xml file is:

<dependency>
    <groupId>org.projectreactor</groupId>
    <artifactId>reactor-spring</artifactId>
    <version>1.0.1.RELEASE</version>
</dependency>

After some research, I found that there is no new version for this dependency on MavenRepository, but that there is another dependency with the same name (projectreactor).

The difference is that this dependency starts with .io instead of .org.

https://projectreactor.io/docs/core

https://projectreactor.io/docs/netty

Can you help me to understand the difference between .io and .org in this case?

And what is the best way to update this to prevent these vulnerabilities?

Answer 1

Have you found a vulnerability (as in security research) or do you get eg. tooling reporting a known vulnerability?

Both Spring projects and Reactor follow VMware security policy. If you've found vulnerabilities, this is the channel through which you should report them.

The reactor-netty artifacts are part of the 3rd generation of Project Reactor (the current one, with io.projectreactor base groupId).

The org.projectreactor groupId is for the 2nd generation. Reactor 2 is long discontinued (early 2015) and unsupported since then. Reactor 2 and 3 can basically be considered two entirely different libraries.

It is very weird that you'd have an application which uses reactor-netty-* and reactor-spring at the same time. If you are dealing with a Spring Framework 5 application, you can probably simply drop that dependency.