chore: upgrade testbench to 9.5.6 (24.9)

[ZheSun88]

No description provided.

[github-actions]

Dependencies Report

• 🚫 Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin@24.9-SNAPSHOT [CVE-2026-2742] (osv-bomber,osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.54 [CVE-2026-43515, CVE-2026-43513, CVE-2026-43514, CVE-2026-42498, CVE-2026-41284, CVE-2026-43512, CVE-2026-41293, BIT-tomcat-2026-43515, BIT-tomcat-2026-43513, BIT-tomcat-2026-43514, BIT-tomcat-2026-42498, BIT-tomcat-2026-41284, BIT-tomcat-2026-43512, BIT-tomcat-2026-41293] (osv-bomber,osv-scan,owasp)
    · cpe:2.3:a:apache:tomcat::::::::
    ·
  • Vulnerabilities in: pkg:maven/com.vaadin/flow-server@24.9-SNAPSHOT [CVE-2026-2742] (osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat@10.1.54 [BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2026-41293, CVE-2026-41293] (osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/org.apache.tomcat/tomcat-catalina@10.1.54 [BIT-tomcat-2026-43515, CVE-2026-43515, BIT-tomcat-2026-43513, CVE-2026-43513, BIT-tomcat-2026-43514, CVE-2026-43514, BIT-tomcat-2026-42498, CVE-2026-42498, BIT-tomcat-2026-41284, CVE-2026-41284, BIT-tomcat-2026-43512, CVE-2026-43512, BIT-tomcat-2026-41293, CVE-2026-41293] (osv-scan)
    ·
  • Vulnerabilities in: pkg:maven/org.springframework.boot/spring-boot-starter-aop@3.5.13 [CVE-2026-40974, CVE-2026-40971, CVE-2026-40972, CVE-2026-40975, CVE-2026-40973, CVE-2026-40977] (owasp)
    👌 Pulled in transitively via spring-cloud-kubernetes-fabric8-config:3.3.2 (the latest available release), where the platform parent already pins spring.boot.version to the latest 3.5.x. Spring dependency can be managed by the end user with using <spring.boot.version> or the parent spring boot starter — using the latest Spring Boot version is recommended.
    · cpe:2.3:a:vmware:spring_boot::::::::
  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-core@24.9-SNAPSHOT [CVE-2026-2742, CVE-2026-2741] (owasp)
    · cpe:2.3:a:vaadin:vaadin::::::::
  • Vulnerabilities in: pkg:maven/io.vertx/vertx-auth-common@4.5.25 [CVE-2026-6860] (owasp)
    · cpe:2.3:a:eclipse:vert.x::::::::
  • Vulnerabilities in: pkg:maven/io.vertx/vertx-web-client@4.5.25 [CVE-2026-6860] (owasp)
    · cpe:2.3:a:eclipse:vert.x::::::::

• 🟠 Known Vulnerabilities:

  • Vulnerabilities in: pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.15.3 [CVE-2023-35116] (owasp)
    👌 Not a valid CVE report based on the vendor analysis and research
    · cpe:2.3:a:fasterxml:jackson-databind::::::::
  • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
    👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
    · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
    · cpe:2.3:a:ada:ada::::::::
  • Vulnerabilities in: pkg:maven/com.networknt/json-schema-validator@1.5.9 [CVE-2025-15104] (owasp)
    👌 FP: The CVE belongs to Nu Html Checker which produce a false positive on Networknt JSON Schema Validator due to the overlapping keyword or an overly broad CPE mapping rule.
    · cpe:2.3:a:validator:validator::::::::
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.20 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.6.20 [CVE-2020-29582] (owasp)
    👌 The impact of this vulnerability is low, instead of taking the risk to break V24 with upgrading kotlin to 2.x, we focus on to not use deprecated API, to not use sensitive data in tests and to clean up the temp folders.
    · cpe:2.3:a:jetbrains:kotlin::::::::
    · cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
    · cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:::::::*
  • Vulnerabilities in: pkg:maven/io.netty/netty-codec-memcache@4.1.133.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:maven/io.netty/netty-codec-mqtt@4.1.133.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:maven/io.netty/netty-transport@4.1.133.Final [CVE-2026-42582] (owasp)
    👌 FP: Based on GHSA-2c5c-chwr-9hqw, the entire 4.1.x branch of Netty does not contain the HTTP/3 codec sub-module or the QpackDecoder class.
    · cpe:2.3:a:netty:netty::::::::
  • Vulnerabilities in: pkg:javascript/quill@1.3.7 [CVE-2021-3163] (owasp)
    👌 Disputed. Researchers have claimed that this issue is not within the product itself, but is intended behavior in a web browser
    · cpe:2.3:a:slab:quill:4.8.0:::::node.js::
  • Vulnerabilities in: pkg:maven/com.vaadin/vaadin-swing-kit-flow@2.4.2 [CVE-2021-33604] (owasp)
    👌 false report: this CVE is targeting Vaadin version prior 20, swing-kit-flow is using vaadin 24+ version, the related issue has been fixed.
    · cpe:2.3:a:vaadin:flow-server::::::::
    · cpe:2.3:a:vaadin:vaadin::::::::

• 📔 No Core License Issues

• 📔 No License Issues

• 🟠 Changes in 24.9-SNAPSHOT since V24.9.17

  • 4 packages removed (4 external, 0 vaadin)
  • 3 packages added (3 external, 0 vaadin)
  • 175 packages modified (78 external, 97 vaadin)
  • 543 packages same (405 external, 138 vaadin)

[Click for more Details]