Merge pull request #114 from guardian/ash/VulnFixes

Ash/vuln fixes

app/controllers/Application.scala

@@ -16,7 +16,7 @@
 
 package controllers
 
-import akka.actor.ActorSystem
+import org.apache.pekko.actor.ActorSystem
 import com.madgag.scalagithub.model.RepoId
 import lib.{Bot, RepoSnapshot}
 import play.api.Logging

app/controllers/RepoAcceptListService.scala

@@ -1,7 +1,7 @@
 package controllers
 
-import akka.actor.ActorSystem
-import akka.stream.Materializer
+import org.apache.pekko.actor.ActorSystem
+import org.apache.pekko.stream.Materializer
 import com.madgag.github.Implicits._
 import com.madgag.scalagithub.GitHub
 import com.madgag.scalagithub.model.{Repo, RepoId}

app/lib/Delayer.scala

@@ -1,6 +1,6 @@
 package lib
 
-import akka.actor.ActorSystem
+import org.apache.pekko.actor.ActorSystem
 
 import java.util.concurrent.TimeUnit
 import scala.concurrent.ExecutionContext.Implicits.global

app/lib/Droid.scala

@@ -1,6 +1,6 @@
 package lib
 
-import akka.stream.Materializer
+import org.apache.pekko.stream.Materializer
 import com.madgag.git._
 import com.madgag.scalagithub.GitHub
 import com.madgag.scalagithub.model.RepoId

app/lib/PRUpdater.scala

@@ -1,6 +1,6 @@
 package lib
 
-import akka.stream.Materializer
+import org.apache.pekko.stream.Materializer
 import com.madgag.scalagithub.GitHub
 import com.madgag.scalagithub.commands.CreateComment
 import com.madgag.scalagithub.model.{PullRequest, Repo}

app/lib/RepoSnapshot.scala

@@ -16,7 +16,7 @@
 
 package lib
 
-import akka.stream.Materializer
+import org.apache.pekko.stream.Materializer
 import com.madgag.git._
 import com.madgag.github.Implicits._
 import com.madgag.scala.collection.decorators._

app/lib/RepoUpdater.scala

@@ -1,6 +1,6 @@
 package lib
 
-import akka.stream.Materializer
+import org.apache.pekko.stream.Materializer
 import com.madgag.github.Implicits.{RichFuture, RichSource}
 import com.madgag.scalagithub.GitHub
 import com.madgag.scalagithub.commands.CreateLabel

app/lib/ScanScheduler.scala

@@ -1,6 +1,6 @@
 package lib
 
-import akka.actor.ActorSystem
+import org.apache.pekko.actor.ActorSystem
 
 import java.time.Instant
 import java.time.Instant.now
@@ -11,7 +11,7 @@ import com.madgag.scalagithub.model.RepoId
 import com.madgag.time.Implicits._
 import lib.labels.Seen
 import play.api.Logging
-import play.api.libs.concurrent.Akka
+import play.api.libs.concurrent.Pekko
 
 import java.util.concurrent.atomic.AtomicReference
 import scala.concurrent.ExecutionContext.Implicits.global

build.sbt

@@ -32,12 +32,19 @@ libraryDependencies ++= Seq(
   "com.github.nscala-time" %% "nscala-time" % "2.32.0",
   "io.lemonlabs" %% "scala-uri" % "4.0.3",
   "com.typesafe.scala-logging" %% "scala-logging" % "3.9.5",
-  "com.madgag.play-git-hub" %% "core" % "5.10",
-  "com.madgag.play-git-hub" %% "testkit" % "5.10" % Test,
+  "com.madgag.play-git-hub" %% "core" % "6.0",
+  "com.madgag.play-git-hub" %% "testkit" % "6.0" % Test,
   "com.madgag.scala-git" %% "scala-git-test" % "4.6" % Test,
   "org.scalatestplus.play" %% "scalatestplus-play" % "5.1.0" % Test
 )
 
+// Overidden transient dependencies for Vulnerability fixes
+libraryDependencies ++= Seq(
+  // Introduced through org.webjars:bootstrap:3.4.1
+  // Fix available in next major bootstrap version - this will involve a lot of breaking changes however.
+  "org.webjars" % "jquery" % "3.6.4",
+)
+
 routesImport ++= Seq("com.madgag.scalagithub.model._","com.madgag.playgithub.Binders._")
 
 Compile/doc/sources := Seq.empty

project/build.properties

@@ -1 +1 @@
-sbt.version=1.9.3
+sbt.version=1.9.7

project/plugins.sbt

@@ -1,4 +1,4 @@
-addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.19")
+addSbtPlugin("org.playframework" % "sbt-plugin" % "3.0.0")
 
 addSbtPlugin("com.eed3si9n" % "sbt-buildinfo" % "0.11.0")