Vulnerable dependencies

[ghost]

I ran Owasp dependency checker on my projet. It reports vulnerabilities from handlebars-spring-boot-starter dependencies:

[platan]

@devnewton Thanks for reporting this issue. Today we released version 0.3.2, which contains the newest dependencies. Please update handlebars-spring-boot-starter to version 0.3.2.

[ghost]

Thank you, with the 0.3.2 I still have an alert on guava. Is it safe to exclude it from dependency?

[platan]

Guava 18.0 is a dependency of handlebars 4.2.0: https://repo1.maven.org/maven2/com/github/jknack/handlebars.java/4.2.0/handlebars.java-4.2.0.pom

Guava is required by default, because handlebars-spring-boot-starter uses guava cache (https://github.com/allegro/handlebars-spring-boot-starter#custom-cache-template, https://github.com/jknack/handlebars.java#the-cache-system).

So you have two options:

• update Guava to version >= 25 (this version does not have vulnerabilities reported by Owasp dependency checker).
• change TemplateCache implementation (https://github.com/allegro/handlebars-spring-boot-starter#custom-cache-template, https://github.com/jknack/handlebars.java#the-cache-system)

[KKolej]

actually we have open issue https://github.com/allegro/handlebars-spring-boot-starter/issues/47 to update handlerbars to 4.3.x that is using guava 31.0.1