fix(sec): upgrade jetty-server to 11.0.10

[Wninayyds]

Upgrade jetty-server from 10.0.10 to 11.0.10 for vulnerability fix:

• CVE-2022-2191

[lincolnthree]

Thanks for this PR!

[ShareASmile]

@lincolnthree i noticed this jetty-server upgrade has been reverted in 5.0.5 final commit
8b3cb3f

any reasons for that as jetty-server 10.0.10 contains security vulnerabilities?

[ShareASmile]

There is 11.0.11 you can try update to as it is a critical fix over unstable 11.0.10
https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.11

Read comment Consensys/tessera#1463 (comment)

For Reference there are more updates see changlogs
https://github.com/eclipse/jetty.project/releases

You can also use Jetty 10.0.11 as it has specific fixes that were done in PR
jetty/jetty.project#8165 but read issue tracker/pull_request discussions to find any issues that may arise

[lincolnthree]

My apologies for the confusion.

@ShareASmile Yes, the Jetty version update caused the build to fail as it is not backwards compatible with v10. Therefore it cannot be merged until those issues are fixed. This dependency is only used in sample repositories, and is not a user-facing dependency. Therefore it is not a risk to end-users of PrettyTime (unless they are copying sample apps and using them production, which I do not feel is likely.)

In addition, the affected sample uses JSTL, which is 14 years old now. It is highly unlikely that any new projects would copy code from this sample. To be honest, I would rather delete the sample than bother updating this dependency, but if you would like to try to fix the build and make sure it works, I'd be happy to merge again.

It sounds like we should try again with the patched version 10.