Closed jbaranski closed 5 months ago
jbaranski
commented
5 months ago @pjfanning Hi, can you please take a look?
Also what is the best way to contact you why I made this PR (users-help@pekko.apache.org)? I'd like to just tell you why I did this before putting it on the PR or public mailing list.
laglangyue
commented
5 months ago You should not directly contact PMC to explain why. You should clearly describe the reason for the change in ISSUE or PR.
jbaranski
commented
5 months ago You should not directly contact PMC to explain why. You should clearly describe the reason for the change in ISSUE or PR.
Thanks, done.
pjfanning
commented
5 months ago https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java - v3.19.6 has no CVEs. The issues that you highlight appear to be fixed in v3.19.6.
jbaranski
commented
5 months ago https://mvnrepository.com/artifact/com.google.protobuf/protobuf-java - v3.19.6 has no CVEs. The issues that you highlight appear to be fixed in v3.19.6.
Yes, I glossed over this... apologies for the noise.
pjfanning
commented
5 months ago I don't think this is needed so -1 from me.
protobuf-java is just a transitive dependency of org.apache.pekko:pekko-http-scalafix-rules and not pekko-http generally
via
[info] +-org.scalameta:parsers_2.13:4.9.1 [S]
[info] +-org.scalameta:trees_2.13:4.9.1 [S]
[info] +-org.scalameta:common_2.13:4.9.1 [S]
[info] +-com.lihaoyi:sourcecode_2.13:0.3.1 [S]
[info] +-com.thesamet.scalapb:scalapb-runtime_2.13:0.11.15 [S]
[info] +-com.google.protobuf:protobuf-java:3.19.6
Address the following known issues with protobuf-java: https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167772 https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-3167774
Before/after the fix, run:
Output before
Output after