Question: `latest` image seems to include a few vulnerable maven packages?

Quantisan / docker-clojure

Official Docker image for Clojure

https://hub.docker.com/_/clojure/

MIT License

204 stars 34 forks source link

Question: `latest` image seems to include a few vulnerable maven packages? #152

Closed kipz closed 2 years ago

kipz commented 2 years ago

As per:

https://dso.atomist.com/images/clojure/digests/sha256%3A1e6fea66892ddb3a0e93cc76d130c49eca36e9862e092be0e3c2beb3a79200e9

I think boot, lein and clojure tools are bringing in vulnerable maven resolver related packages, which I think have been fixed up stream.

I think the latest clojure tools has already been upgraded (though not released?) that does upgrade the offending packages, but I think lein and boot might still be a problem.

cap10morgan commented 2 years ago

We'll need those projects (i.e. lein and boot) to release updated versions. Once they do, we'll release new Docker images for them.