Update HikariCP to 7.0.1 #4004

xerial-bot · 2025-08-09T00:12:58Z

About this PR

📦 Updates com.zaxxer:HikariCP from 6.3.2 to 7.0.1 ⚠

Usage

✅ Please merge!

I'll automatically update this PR to resolve conflicts as long as you don't change it yourself.

If you'd like to skip this version, you can just close this PR. If you have any feedback, just mention me in the comments below.

Configure Scala Steward for your repository with a .scala-steward.conf file.

Have a fantastic day writing Scala!

⚙ Adjust future updates

Add this to your .scala-steward.conf file to ignore future updates of this dependency:

updates.ignore = [ { groupId = "com.zaxxer", artifactId = "HikariCP" } ]

Or, add this to slow down future updates of this dependency:

dependencyOverrides = [{
  pullRequests = { frequency = "30 days" },
  dependency = { groupId = "com.zaxxer", artifactId = "HikariCP" }
}]

^{labels: library-update}

gemini-code-assist

Summary of Changes

Hello @xerial-bot, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

I've updated the HikariCP dependency to its latest version, 7.0.1, from the previous 6.3.2. This ensures we're using the most recent stable release of this connection pool, which can bring performance improvements and bug fixes.

Highlights

Dependency Update: The com.zaxxer:HikariCP library has been updated from version 6.3.2 to 7.0.1.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request updates HikariCP from version 6.3.2 to 7.0.1. While this appears to be a routine dependency update, it raises a significant security concern. The official com.zaxxer:HikariCP artifact's latest version is 5.1.0. The versions 6.3.2 and 7.0.1, while using the official groupId, seem to originate from an unofficial source. This is a potential dependency hijacking or supply chain security risk. I have added a critical review comment to address this.

gemini-code-assist · 2025-08-09T00:14:04Z

build.sbt

@@ -726,7 +726,7 @@ lazy val jdbc =
        "org.xerial"     % "sqlite-jdbc" % SQLITE_JDBC_VERSION,
        "org.duckdb"     % "duckdb_jdbc" % "1.3.2.0",
        "org.postgresql" % "postgresql"  % "42.7.7",
-        "com.zaxxer"     % "HikariCP"    % "6.3.2",
+        "com.zaxxer"     % "HikariCP"    % "7.0.1",


This update to HikariCP version 7.0.1 introduces a potential security vulnerability. The official com.zaxxer:HikariCP dependency's latest version is 5.1.0. The versions 6.3.2 (the previous version) and 7.0.1 (the new version) appear to be from an unofficial fork that is using the official com.zaxxer groupId. This practice, known as dependency confusion or hijacking, is a significant security risk as it could introduce malicious code.

It is strongly recommended to switch to the official HikariCP releases. If a fork is necessary for specific features, it must be published under a distinct groupId to ensure dependency integrity and avoid security risks.

com.zaxxer is an official HikariCP org

Update HikariCP to 7.0.1

a66bb05

xerial-bot added the library-update label Aug 9, 2025

gemini-code-assist bot reviewed Aug 9, 2025

View reviewed changes

xerial merged commit 3bc41d7 into main Aug 13, 2025
20 checks passed

xerial deleted the update/HikariCP-7.0.1 branch August 13, 2025 05:06

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update HikariCP to 7.0.1 #4004

Update HikariCP to 7.0.1 #4004

Uh oh!

xerial-bot commented Aug 9, 2025

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

gemini-code-assist bot left a comment

Uh oh!

gemini-code-assist bot Aug 9, 2025

Uh oh!

xerial Aug 13, 2025

Uh oh!

Uh oh!

Uh oh!

Update HikariCP to 7.0.1 #4004

Update HikariCP to 7.0.1 #4004

Uh oh!

Conversation

xerial-bot commented Aug 9, 2025

About this PR

Usage

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist bot Aug 9, 2025

Choose a reason for hiding this comment

Uh oh!

xerial Aug 13, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!