Upgrade ktlint-cli -> `VULNERALIBILTY` on logback-classic

JLLeitschuh / ktlint-gradle

A ktlint gradle plugin

MIT License

1.48k stars 163 forks source link

Upgrade ktlint-cli -> `VULNERALIBILTY` on logback-classic #764

Closed zelyon closed 5 months ago

zelyon commented 5 months ago

Need upgrade dependencies com.pinterest.ktlint:ktlint-cli:1.0.1 to 1.1.0 in order to upgrade dependencie ch.qos.logback:logback-classic:1.3.5 to 1.3.14

dependencie ch.qos.logback:logback-classic:1.3.5 contains vulnerability : CWE-502 | Deserialization of Untrusted Data

wakingrufus commented 5 months ago

ktlint-gradle does not have a transitive dependency on ktlint (or logback). For projects using ktlint-gradle, the versions of those libraries used in the buildscript classpath is determined by the plugin's configuration of the ktlint version. eg.

ktlint {
    version.set("1.1.0")
}