Closed AlexandrosMor closed 1 year ago
Hello @joschi Could you please merge this one ? It is a security issue. Furthermore, I was wondering how many maintainers are ? Thank you in advance
@AlexandrosMor Could you please share details about the vulnerability?
I don't find anything about it in the release notes for Maven 3.8.2 and on the Maven Security page.
Furthermore, this dependency is the minimum version of Maven the openapi-diff Maven plugin is working with. If we bump that version, people will (potentially) have to use Maven 3.8.2 or later for using the plugin.
And last but not least, the dependency is in provided
scope which means that we don't even include it in our artifact and the version of Maven importing the plugin will control which version is actually on the class path.
As an example, the Maven Surefire plugin defines an even lower version of these dependencies:
Hello @joschi, thank you for the quick response. I see that there is a vulnerability here, Apart from that I run the repo using the https://snyk.io/ and I found even more but all of them are nested dependencies Kind regards, Alexandros
@AlexandrosMor Thanks for providing the links!
As explained before, the version of Maven using the openapi-diff Maven plugin ultimately decides which version of the Maven libraries which are declared as provided
are being used.
So there is no security issue in this Maven plugin and I'm closing this PR.
There is a vulnerability to
maven-shared-utils
and it is fixed by updating maven-core to 3.8.2