Open jamielwhite opened 2 weeks ago
I made a PR about it: https://github.com/aws/aws-msk-iam-auth/pull/181
Do not hesitate to initiate it next time if you can.
And waiting the PR merge and release, you can manually upgrade awssdk version, there is no identified incompatibilities with newer versions
Thanks! We are downloading the packaged jar directly from GitHub in some cases, so we aren't able to override the version in all of our apps.
My team upgraded to the latest release (2.1.1) hoping it would remediate a vulnerability flagged by our scanning software, but it's still identifying a vulnerability for CVE-2024-29025 through this path:
aws-msk-iam-auth-2.1.1-all.jar -> software.amazon.awssdk:2.23.3 -> netty-codec-http:4.1.100.Final
The vulnerability was remediated in netty-codec-http:4.1.108.Final, which is used as of awssdk version 2.25.19. Are there any plans to upgrade the aws-sdk version used by this library?