Closed jbaranski closed 5 months ago
@pjfanning Hi, can you please take a look?
Also what is the best way to contact you why I made this PR (users-help@pekko.apache.org
)? I'd like to just tell you why I did this before putting it on the PR or public mailing list.
You should not directly contact PMC to explain why. You should clearly describe the reason for the change in ISSUE or PR.
You should not directly contact PMC to explain why. You should clearly describe the reason for the change in ISSUE or PR.
Thanks, done.
https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java - v3.19.6 has no CVEs. The issues that you highlight appear to be fixed in v3.19.6.
https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java - v3.19.6 has no CVEs. The issues that you highlight appear to be fixed in v3.19.6.
Yes, I glossed over this... apologies for the noise.
I don't think this is needed so -1 from me.
protobuf-java is just a transitive dependency of org.apache.pekko:pekko-http-scalafix-rules and not pekko-http generally
via
[info] +-org.scalameta:parsers_2.13:4.9.1 [S]
[info] +-org.scalameta:trees_2.13:4.9.1 [S]
[info] +-org.scalameta:common_2.13:4.9.1 [S]
[info] +-com.lihaoyi:sourcecode_2.13:0.3.1 [S]
[info] +-com.thesamet.scalapb:scalapb-runtime_2.13:0.11.15 [S]
[info] +-com.google.protobuf:protobuf-java:3.19.6
Address the following known issues with protobuf-java: https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772 https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774
Before/after the fix, run:
Output before
Output after