Skip to content

Upgrade kotlin-reflect from 1.6.10 to 2.2.0#6984

Merged
timtebeek merged 1 commit intomainfrom
upgrade-kotlin-reflect
Mar 14, 2026
Merged

Upgrade kotlin-reflect from 1.6.10 to 2.2.0#6984
timtebeek merged 1 commit intomainfrom
upgrade-kotlin-reflect

Conversation

@timtebeek
Copy link
Copy Markdown
Member

@timtebeek timtebeek commented Mar 14, 2026
edited by moderne-meeseeks Bot
Loading

Summary

  • kotlin-compiler-embeddable declares a transitive dependency on kotlin-reflect:1.6.10, which is flagged for CVE-2020-29582 (insecure temp file permissions in createTempDir/createTempFile)
  • Adds an explicit kotlin-reflect dependency at 2.2.0 (matching the existing kotlinVersion) so Gradle's conflict resolution selects the newer version
  • This single change resolves the CVE across all 47 downstream recipe repos that transitively depend on rewrite-kotlin

Verification

  • ./gradlew :rewrite-kotlin:dependencies --configuration runtimeClasspath confirms kotlin-reflect:1.6.10 -> 2.2.0

  • ./gradlew :rewrite-kotlin:assemble compiles cleanly

  • Ref: moderneinc/dependency-vulnerability-reports#1010

@timtebeek
Upgrade kotlin-reflect from 1.6.10 to 2.2.0
786cf87 
kotlin-compiler-embeddable declares a transitive dependency on
kotlin-reflect 1.6.10, which is flagged for CVE-2020-29582 (insecure
temp file permissions). Adding an explicit kotlin-reflect dependency at
the same version as the rest of the Kotlin dependencies (2.2.0) causes
Gradle's conflict resolution to select the newer version.

This resolves the vulnerability across all 47 downstream recipe repos
that transitively depend on rewrite-kotlin.

See moderneinc/dependency-vulnerability-reports#1010
@github-project-automation github-project-automation Bot moved this to In Progress in OpenRewrite Mar 14, 2026
@timtebeek timtebeek requested a review from Jenson3210 March 14, 2026 15:57
Jenson3210
Jenson3210 approved these changes Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Jenson3210 Jenson3210 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to say I do not know the impact of bumping partial kotlin versions compatibility-wise. We have to keep this change in mind for future potential kotlin related failures?

@github-project-automation github-project-automation Bot moved this from In Progress to Ready to Review in OpenRewrite Mar 14, 2026
@timtebeek timtebeek marked this pull request as ready for review March 14, 2026 16:43
@timtebeek timtebeek merged commit 1167bbe into main Mar 14, 2026
1 check passed
@timtebeek timtebeek deleted the upgrade-kotlin-reflect branch March 14, 2026 16:43
@github-project-automation github-project-automation Bot moved this from Ready to Review to Done in OpenRewrite Mar 14, 2026
@timtebeek
Copy link
Copy Markdown
Member Author

timtebeek commented Mar 14, 2026

We'd recently already bumped our Kotlin version to 2.2.0; it looks like kotlin-reflect was left behind, but best aligned now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jenson3210 Jenson3210 Jenson3210 approved these changes

Assignees

@timtebeek timtebeek

Labels

None yet

Projects

OpenRewrite
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timtebeek @Jenson3210