Upgrade Moshi dependency to avoid CVE-2022-3635

autonomousapps / dependency-analysis-gradle-plugin

Gradle plugin for JVM projects written in Java, Kotlin, Groovy, or Scala; and Android projects written in Java or Kotlin. Provides advice for managing dependencies and other applied plugins

Apache License 2.0

1.67k stars 115 forks source link

Upgrade Moshi dependency to avoid CVE-2022-3635 #1155

Closed alllex closed 2 months ago

alllex commented 2 months ago

Plugin version 1.31.0

The plugin transitively brings the okio:2.10.0 dependency that is affected by CVE-2022-3635.

com.autonomousapps:dependency-analysis-gradle-plugin:
- com.squareup.moshi:moshi:1.14.0
 - com.squareup.okio:okio:2.10.0

In the gradle/gradle build, we bump the okio dependency to 3.4.0, and this seems to work. https://github.com/gradle/gradle/blob/b19e8fdce25b3f7973b36f9882d9afdfaa5f0434/build-logic-commons/build-platform/build.gradle.kts#L38-L41