psxjoy
commented
1 month ago we have a big update about the 4.0.x version. So if you mind about this info, I strongly suggest updating easyexcel to 4.0.x.
Open treebreath opened 1 month ago
psxjoy
commented
1 month ago we have a big update about the 4.0.x version. So if you mind about this info, I strongly suggest updating easyexcel to 4.0.x.
psxjoy
commented
1 month ago AFAIK,version 3.x.x is no longer supported unless there is a major bug.
Allamss
commented
1 month ago Up to version 4.0.3, this vulnerability in commons-compress has not been addressed. You can try excluding it and manually adding the dependency yourself. In our tests, this approach hasn’t caused any issues so far
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>easyexcel</artifactId>
<version>x.x.x</version>
<exclusions>
<exclusion>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.26.1</version>
</dependency>
treebreath
commented
1 month ago we have a big update about the 4.0.x version. So if you mind about this info, I strongly suggest updating easyexcel to 4.0.x.
Hi, I am using version 4.0.3, it hints two transitive vulnerable dependency maven:org.apache.commons:commons-compress:1.25.0
https://github.com/advisories/GHSA-4265-ccf5-phj5 7.5 Allocation of Resources Without Limits or Throttling vulnerability with High severity found https://github.com/advisories/GHSA-4g9r-vxhx-9pgx 5.5 Loop with Unreachable Exit Condition ("Infinite Loop") vulnerability with Medium severity found `
I just mean if I use version3.3.3 it hints five transitive vulnerable dependency. So the version4.x still produce 2 left security risk
psxjoy
commented
1 month ago I think @Allamss 's suggestion is a good idea.We will fix these later.
建议先去看文档
快速开始 、常见问题
触发场景描述
依赖代码,
使用的版本是4.0.3
idea高亮提示风险
如果使用的是3.3.3版本,则有5个风险提示