chore: upgrade jetty version to 11.0.26 to fix CVE-2025-5115

[varkey98]

No description provided.

[github-actions]

Test Results

32 tests  ±0   32 ✅ ±0   16s ⏱️ ±0s
 9 suites ±0    0 💤 ±0 
 9 files   ±0    0 ❌ ±0 

Results for commit 8c5be9d. ± Comparison against base commit 03ae2ac.

♻️ This comment has been updated with latest results.

[varkey98]

this strangely doesnt have any lock file updates

[bhubam]

We cannot move to jetty 12+ until we have not moved all over services to java 17+ . I think there are services which are running on java 11.

[varkey98]

This is an older commit, pls get the latest changes

[avinashkolluru]

Discussed offline. Would prefer getting rid of this explicit dependency here and using the one from commonLibs which means you need to upgrade the version in hypertrace-bom first - https://github.com/hypertrace/hypertrace-bom/blob/846e833212c27988a3b0118e6ae88f5124aed200/gradle/libs.versions.toml#L12

[varkey98]

I've moved to using guice and jetty from the bom. Should I move the other local deps as well to bom?

[avinashkolluru]

Whatever is already in the bom, you should use it. The ones that aren't can remain in this repo repo.

[avinashkolluru]

But, you'd probably need to first update the version in the hypertrace-bom, publish that and then upgrade the locks too here in this repo for the versions to be picked up.

[varkey98]

the version for jetty atleast is already with vuln fix in hypertrace bom

[varkey98]

Also do we know why we refer both bom and local version for grpc in here?
https://github.com/hypertrace/service-framework/blob/main/platform-grpc-service-framework/build.gradle.kts#L10-L11

[avinashkolluru]

This should be coming from bom only. Please refer the one in bom and remove any explicit references in the repo.

[avinashkolluru]

Ignore. I see that you already fixed it.