Update commons-beanutils to 1.11.0 - resolve CVE-2025-48734

[stecurran-est-tech]

Subsystem
Client/Server, related modules

Motivation
Address vulnerability CVE-2025-48734.

Solution
Force use of commons-beanutils:1.11.0 across subprojects

[coderabbitai]

Walkthrough

A global resolution strategy is added under subprojects in build.gradle.kts to force commons-beanutils dependency to version 1.11.0 across all subprojects. The change introduces a configurations.all resolutionStrategy block without modifying existing logic or tasks.

Changes

Cohort / File(s)	Summary
Gradle build configuration build.gradle.kts	Adds resolutionStrategy to force commons-beanutils version to 1.11.0 in all subproject configurations

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify commons-beanutils 1.11.0 resolves the intended dependency conflict
• Check for potential incompatibilities with other dependencies or existing code

Suggested labels

👍 ship!

Suggested reviewers

• osipxd

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: updating commons-beanutils to version 1.11.0 to resolve a specific CVE vulnerability.
Description check	✅ Passed	The description follows the required template with all sections present: Subsystem, Motivation, and Solution. Each section is filled with relevant and specific information addressing the CVE vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

build.gradle.kts (1)

13-20: Approve CVE-2025-48734 fix with optional documentation improvement.

CVE-2025-48734 is an Improper Access Control vulnerability in Apache Commons BeanUtils affecting versions 1.x before 1.11.0, and version 1.11.0 is the recommended upgrade for commons-beanutils 1.x. The resolution strategy syntax is correct and idiomatic for Gradle.

However, adding a comment referencing the CVE would improve maintainability for future developers:

 subprojects {
+    // Force commons-beanutils 1.11.0 to address CVE-2025-48734 (Improper Access Control)
+    // See: https://nvd.nist.gov/vuln/detail/CVE-2025-48734
     configurations.all {
         resolutionStrategy {
             force("commons-beanutils:commons-beanutils:1.11.0")
         }
     }
 }

Additionally, verify that no other build.gradle.kts files contain conflicting commons-beanutils version constraints, as when multiple force calls exist for the same dependency, the last one executed wins.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eaddf43 and 3e9de9e.

📒 Files selected for processing (1)

• build.gradle.kts (1 hunks)

🧰 Additional context used

🧠 Learnings (6)

📚 Learning: 2025-04-23T11:48:32.634Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4767
File: build-settings-logic/src/main/kotlin/ktorsettings.kotlin-user-project.settings.gradle.kts:136-146
Timestamp: 2025-04-23T11:48:32.634Z
Learning: For Kotlin Train builds in the Ktor project, the properties `atomicfu_version`, `coroutines_version`, and `serialization_version` are expected to be defined in the TeamCity CI environment, so using `.get()` without custom error handling is sufficient.

Applied to files:

• build.gradle.kts

📚 Learning: 2025-05-08T09:52:11.723Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4836
File: build-logic/src/main/kotlin/ktorbuild.project.server-plugin.gradle.kts:12-12
Timestamp: 2025-05-08T09:52:11.723Z
Learning: In the Ktor project's flattened Gradle structure, projects are declared using a custom DSL with the unary plus operator inside specialized blocks. For example, server projects are declared with `+"project-name"` inside a `server {}` block within the main `projects {}` block. When verifying project declarations, search for `+"project-name"` rather than traditional `include(":project-name")` statements.

Applied to files:

• build.gradle.kts

📚 Learning: 2025-05-07T13:42:29.388Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4822
File: ktor-server/ktor-server-plugins/ktor-server-i18n/build.gradle.kts:13-17
Timestamp: 2025-05-07T13:42:29.388Z
Learning: In Kotlin build scripts (build.gradle.kts), the preferred syntax for declaring dependencies is using the dot notation like `jvmTest.dependencies { ... }` rather than the nested version `jvmTest { dependencies { ... } }` as it reduces the nesting level by one and improves readability.

Applied to files:

• build.gradle.kts

📚 Learning: 2025-06-18T12:04:14.597Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4942
File: build-logic/src/main/kotlin/ktorbuild/internal/publish/PublishTasks.kt:69-74
Timestamp: 2025-06-18T12:04:14.597Z
Learning: In build-logic/src/main/kotlin/ktorbuild/internal/publish/PublishTasks.kt, the team intentionally uses singleOrNull for repository name selection to enforce explicit failure when more than one non-default repository is configured. This is preferred over firstOrNull to avoid ambiguity and ensure that multiple repository scenarios are handled explicitly when they arise, rather than relying on implicit ordering.

Applied to files:

• build.gradle.kts

📚 Learning: 2025-05-07T09:12:14.293Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4836
File: ktor-utils/build.gradle.kts:35-35
Timestamp: 2025-05-07T09:12:14.293Z
Learning: The Ktor project maintains a flat Gradle project structure (where projects are referenced without nested paths like `:ktor-test-base`) while keeping a hierarchical directory organization on disk.

Applied to files:

• build.gradle.kts

📚 Learning: 2025-04-22T12:33:16.705Z

Learnt from: osipxd
Repo: ktorio/ktor PR: 4805
File: build-logic/src/main/kotlin/ktorbuild/internal/publish/ValidatePublishedArtifactsTask.kt:74-82
Timestamp: 2025-04-22T12:33:16.705Z
Learning: The ValidatePublishedArtifactsTask in the Ktor build system is designed to collect artifacts from all PublishToMavenRepository tasks in the task graph, not just from the specifically named publish task. This is intentional to validate all publications triggered by a task, including those from task dependencies.

Applied to files:

• build.gradle.kts