Devops

CVE-2025-12183 affects lz4-java 1.8.0, which has out-of-bounds memory operations. The fix exists in version 1.8.1, but the original maintainer at org.lz4:lz4-java did not release it. Instead, Sonatype redirects requests for org.lz4:lz4-java:1.8.1 to a fork at at.yawk.lz4:lz4-java:1.8.1. This creates a problem: both artifacts declare the same capability (org.lz4:lz4-java), causing Gradle to fail with a capability conflict when both end up on the classpath through transitive dependencies. The Problem When a library changes ownership or is forked to a new Maven coordinate, you cannot simply bump the version number. The old coordinate stops receiving updates, and the new coordinate is technically a different artifact. If any transitive dependency still pulls in the old coordinate, Gradle sees two artifacts claiming the same capability and fails. ...

I was updating my blog’s Hugo version and PaperMod theme when I realized I hadn’t touched these dependencies in months. The Hugo Docker image was 8 versions behind, and the theme had accumulated dozens of commits. Not broken, just stale. I wanted something that would automatically check for updates and create merge requests - something I could review and merge on my own schedule, without having to remember to check. ...