mrwilby
commented
1 year ago New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635
Open mrwilby opened 1 year ago
mrwilby
commented
1 year ago New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635
mrwilby
commented
1 year ago New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-0833
ErkangXu
commented
2 days ago Can we please update the dependency?
The tea library is a transitive dependency of some other aliyun libraries which my company uses.
Unfortunately, this library is using a non-maintained version of okhttp which has a known security vulnerability disclosure:
https://nvd.nist.gov/vuln/detail/CVE-2021-0341
The dependency is from here: https://github.com/aliyun/tea-java/blob/master/pom.xml#L68
The maintainers of okhttp indicate that they will not patch the v3 library with a correction. However, the more recent 4.x series has been fixed.
Can this library be upgraded and then re-released using okhttp v4 or newer?