Several project dependencies are outdated #131
Comments
binkley
changed the title
|
I can't process an issue that boils down to, "old versions, lolz!". If you have something specific you want to fix please submit a PR. Note that some dependencies are pinned due to supporting older Java versions. |
gaul
pushed a commit
that referenced
this issue
Aug 28, 2021
The plexus-utils dependency is upstream in this project, and triggers a CVE for XML injection. I was unable to find ill effect from excluding plexus-utils as a transitive dependency. See https://nvd.nist.gov/vuln/detail/CVE-2017-1000487 Fixes andygoossens/gradle-modernizer-plugin#1. References #131. Co-authored-by: Brian Oxley <boxley@thoughtworks.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I ran into an issue with CVE dependency scanning for Gradle counterpart to this plugin which depends on this project.
Transitively, there is a dependency here on a crufty version of
plexus-utilsthat has an XML injection security bug. I filled against the Gradle plugin project here:andygoossens/gradle-modernizer-plugin#1
Reviewing
pom.xmlfor the plugin, I see many or most dependencies our outdated. A refresh to latest or near latest versions would likely address the CVE, as well as pick up any dependency bug fixes that have happened along the way. It's not sexy work, but is good craftsmanship.When I gain some roundtuits, I may try updating myself, and see how it goes.
The text was updated successfully, but these errors were encountered: