Closed casewalker closed 8 months ago
@mikesamuel If you could take a look, that would be greatly appreciated.
+1
+1 @mikesamuel
I think dependabot can create such PR. Saw one for another version - https://github.com/OWASP/java-html-sanitizer/pull/284. Also there is some PR on removing the dependency https://github.com/OWASP/java-html-sanitizer/pull/272
@subbudvk If you read the comments on the PR you linked and check the Guava link I shared above, you'll see that the Dependabot PR is trying to upgrade from one vulnerable version to another vulnerable version.
@jmanico Hello, I saw that you recently reviewed a PR in this repo. I am trying to have some CVEs addressed by bumping to the latest version of Guava. If you could review this PR, that would be greatly appreciated.
Thanks!
@casewalker this can be closed now that https://github.com/OWASP/java-html-sanitizer/pull/272 has been merged
This is obviated by https://github.com/OWASP/java-html-sanitizer/commit/3b6cc1b7e6d7992c5b15f87f91dc163de7d35c05 which removes the guava dependency entirely
Beautiful, thanks for addressing the underlying issue!!
Upgrades past CVE-2023-2976 and CVE-2020-8908 to the latest Guava version.