chore(deps): update dependency papermc to v1.21.10

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
papermc (source)	patch	1.21.4 -> 1.21.10

---

Release Notes

PaperMC/Paper (papermc)

v1.21.7

Compare Source

v1.21.6

Compare Source

v1.21.5

Compare Source

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[Djaytan]

Waiting PaperMC team to release a stable version.

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test
- digest	3c6c37e3f2f8	ce4ea8380b66
- tag	1.21.4	test
- stream	latest
- provenance	221f80c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	133 MB	145 MB (+12 MB)
- packages	170	177 (+7)
Base Image	alpine:3.22.0 also known as: • 3 • 3.22 • latest	alpine:3 also known as: • 3.22 • latest
- vulnerabilities

Policies (1 improved, 1 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test	Change	Standing
No unapproved base images	⚠️ 1	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 7	⚠️ 4	-3	Improved
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (31 package changes and 1 vulnerability changes)

• ➕ 8 packages added
• ➖ 1 packages removed
• ♾️ 22 packages changed
• 143 packages unchanged

• ✔️ 1 vulnerabilities removed

Changes for packages of type apk (7 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➕	alpine-base		3.22.0-r0
➕	ca-certificates		20241121-r2
➕	gcc		14.2.0-r6
➕	ncurses		6.5_p20250503-r0
➕	openssl		3.5.0-r0
			Added vulnerabilities (1):
➕	pax-utils		1.3.8-r1
➕	xz		5.8.1-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➖	openjdk	21.0.7
➕	openjdk		21.0.7

Changes for packages of type maven (22 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
♾️	com.google.protobuf/protobuf-java	4.26.1	4.29.0
		Removed vulnerabilities (1):
♾️	com.mysql/mysql-connector-j	9.1.0	9.2.0
♾️	io.netty/netty-codec-haproxy	4.1.115.Final	4.1.118.Final
♾️	io.papermc.paperclip.Main/papermc-server	1.21.4-232	1.21.8-60
♾️	net.kyori.adventure.key/adventure-key	4.20.0	4.24.0
♾️	net.kyori.adventure.text.logger.slf4j/adventure-text-logger-slf4j	4.20.0	4.24.0
♾️	net.kyori.adventure.text.minimessage/adventure-text-minimessage	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.ansi/adventure-text-serializer-ansi	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.constant/adventure-text-serializer-commons	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.gson/adventure-text-serializer-gson	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.json/adventure-text-serializer-json	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.legacy/adventure-text-serializer-legacy	4.20.0	4.24.0
♾️	net.kyori.adventure.text.serializer.plain/adventure-text-serializer-plain	4.20.0	4.24.0
♾️	net.kyori.adventure/adventure-api	4.20.0	4.24.0
♾️	net.md-5/bungeecord-chat	1.20-R0.2	1.21-R0.2
♾️	org.bukkit/paper-api	1.21.4-R0.1-SNAPSHOT	1.21.8-R0.1-SNAPSHOT
♾️	org.objectweb.asm.commons/asm-commons	9.7.1	9.8
♾️	org.objectweb.asm.tree/asm-tree	9.7.1	9.8
♾️	org.spongepowered.configurate.yaml/configurate-yaml	4.2.0-20250225.064233-199	4.2.0
♾️	org.spongepowered.configurate/configurate-core	4.2.0-20250225.064233-204	4.2.0
♾️	org.xerial/sqlite-jdbc	3.47.0.0	3.49.1.0
♾️	spark-paper/spark-paper	1.10.119-20241121.092015-1	1.10.133-20250413.112336-1

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:ce4ea8380b66aa5b3c08df7f37e7f8cefef8f5677f292b3470f280e5a9e059e1
vulnerabilities
platform	linux/amd64
size	145 MB
packages	177

📦 Base Image alpine:3

also known as	3.22 3.22.0 latest
digest	sha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilities

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/[email protected] Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.279% EPSS Percentile 51st percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.280% EPSS Percentile 51st percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.311% EPSS Percentile 54th percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.119% EPSS Percentile 32nd percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.012% EPSS Percentile 1st percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

golang.org/x/net 0.34.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.023% EPSS Percentile 5th percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). Misinterpretation of Input Affected range <0.36.0 Fixed version 0.36.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L EPSS Score 0.015% EPSS Percentile 2nd percentile Description Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

stdlib 1.24.4 (golang) pkg:golang/[email protected] Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.022% EPSS Percentile 4th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/[email protected] Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.066% EPSS Percentile 21st percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

openssl 3.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <3.5.1-r0 Fixed version 3.5.1-r0 EPSS Score 0.039% EPSS Percentile 11th percentile Description

busybox 1.37.0-r18 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <=1.37.0-r19 Fixed version Not Fixed EPSS Score 0.011% EPSS Percentile 1st percentile Description Affected range <=1.37.0-r19 Fixed version Not Fixed EPSS Score 0.015% EPSS Percentile 2nd percentile Description

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud