casewalker
commented
9 months ago @mikesamuel If you could take a look, that would be greatly appreciated.
Closed casewalker closed 8 months ago
casewalker
commented
9 months ago @mikesamuel If you could take a look, that would be greatly appreciated.
melloware
commented
9 months ago +1
maxibarros
commented
9 months ago +1 @mikesamuel
subbudvk
commented
9 months ago I think dependabot can create such PR. Saw one for another version - https://github.com/OWASP/java-html-sanitizer/pull/284. Also there is some PR on removing the dependency https://github.com/OWASP/java-html-sanitizer/pull/272
casewalker
commented
9 months ago @subbudvk If you read the comments on the PR you linked and check the Guava link I shared above, you'll see that the Dependabot PR is trying to upgrade from one vulnerable version to another vulnerable version.
casewalker
commented
8 months ago @jmanico Hello, I saw that you recently reviewed a PR in this repo. I am trying to have some CVEs addressed by bumping to the latest version of Guava. If you could review this PR, that would be greatly appreciated.
Thanks!
melloware
commented
8 months ago @casewalker this can be closed now that https://github.com/OWASP/java-html-sanitizer/pull/272 has been merged
mikesamuel
commented
8 months ago This is obviated by https://github.com/OWASP/java-html-sanitizer/commit/3b6cc1b7e6d7992c5b15f87f91dc163de7d35c05 which removes the guava dependency entirely
casewalker
commented
8 months ago Beautiful, thanks for addressing the underlying issue!!
Upgrades past CVE-2023-2976 and CVE-2020-8908 to the latest Guava version.