Update Jetty to 12.1.8 (fixes #550)

[miguno]

This PR updates Jetty to 12.1.8 to address two CVEs.

CVEs:

• CVE-2026-1605 (high)
• CVE-2025-11143 (medium)

Details

Dependency Information
-----------------------------------------------------
NAME: org.eclipse.jetty.websocket/jetty-websocket-core-server
VERSION: 12.1.0

DEPENDENCY FOUND IN:

[ring/ring-jetty-adapter]
        [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-jetty-server]
                [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-servlet]


FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2025-11143
CVSS: 6.5 (version 3.1)
PATCHED VERSION: 12.1.5

SEVERITY: HIGH
IDENTIFIERS: CVE-2026-1605
CVSS: 7.5 (version 3.1)
PATCHED VERSION: 12.1.6

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Dependency Information
-----------------------------------------------------
NAME: org.eclipse.jetty.websocket/jetty-websocket-core-common
VERSION: 12.1.0

DEPENDENCY FOUND IN:

[ring/ring-jetty-adapter]
        [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-jetty-server]
                [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-jetty-common]

[ring/ring-jetty-adapter]
        [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-jetty-server]
                [org.eclipse.jetty.ee9.websocket/jetty-ee9-websocket-servlet]
                        [org.eclipse.jetty.websocket/jetty-websocket-core-server]


FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2025-11143
CVSS: 6.5 (version 3.1)
PATCHED VERSION: 12.1.5

SEVERITY: HIGH
IDENTIFIERS: CVE-2026-1605
CVSS: 7.5 (version 3.1)
PATCHED VERSION: 12.1.6

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Dependencies scanned: 47
Vulnerable dependencies found: 2 (2 High)

Related issues:

• ring-jetty-adapter vulnerable to CVE-2026-1605 (Jetty GzipHandler memory leak) #550 (this PR addresses this issue)

[weavejester]

Looks like 12.1.8 breaks custom on-ping websocket events for some reason.

[weavejester]

The issue appears to be a fragile test. Duplicating the ByteBuffer fixes it:

diff --git a/ring-jetty-adapter/test/ring/adapter/test/jetty.clj b/ring-jetty-adapter/test/ring/adapter/test/jetty.clj
index 106df91..2c68114 100644
--- a/ring-jetty-adapter/test/ring/adapter/test/jetty.clj
+++ b/ring-jetty-adapter/test/ring/adapter/test/jetty.clj
@@ -816,8 +816,8 @@
                       (on-close [_ _ _ _])
                       wsp/PingListener
                       (on-ping [_ sock data]
-                        (ws/pong sock data)
-                        (swap! log conj [:ping (buf->str data)])))})]
+                        (swap! log conj [:ping (buf->str (.duplicate data))])
+                        (ws/pong sock data)))})]
       (with-server handler {:port test-port}
         (let [ws @(hato/websocket test-websocket-url
                                   {:on-pong

[miguno]

Updated the PR. Both lein test and lein test-all pass for me locally.

Thanks for providing the fix for the test.

[weavejester]

Looks good! Can you squash down your commits into one? You can use your original commit message.

[miguno]

Squashing done!

PS: And sorry for creating extra work for you regarding the additionally required fixes for this version bump (and in the other PR).

[weavejester]

sorry for creating extra work for you regarding the additionally required fixes for this version bump (and in the other PR).

No worries, that's what reviews are for.

[weavejester]

Can you change the commit message to:

Update Jetty to 12.1.8

Update Jetty to 12.1.8 and fix fragile websocket test by duplicating
ByteBuffer. Fixes #550.

This makes the explanation a little clearer and adds a note about which issue was fixed.

[miguno]

Done!

[weavejester]

Looks like you're missing the subject line of the commit message - that's the first line.

[miguno]

Looks like you're missing the subject line of the commit message - that's the first line.

Fixed.

This was a misunderstanding of what you wrote in #552 (comment) (I thought you wanted the only the second line as the entire commit message, because the first line was the original commit's message).