[security] Update 3rd party dependencies to get rid of all currently known CVE issues

rover886 commented 2 months ago

Hijacking this issue as placeholder for security upgrade.

original text:

The smime-module has dependency on utils-mail-smime and it has dependency on bcjmail-jdk15to18 along with further transitive dependencies from Bouncy Castle.

From your this comment @bbottema I come to know that you are in process of updating 3rd party dependencies, hence consider a suggestion of using bcjmail-jdk18on instead of bcjmail-jdk15to18 as simple-java-mail is compatible from JDK8+.

Also, bc-jdk15to18 JARs are designed to be compatible with JDK versions 1.5 through 1.8, where on other hand bc-jdk18on are designed to be compatible with JDK 1.8 and later versions. So it makes sense, isn't it? even the https://bouncycastle.org/latest_releases.html also says the same.

Please ignore if you have already considered this :)

bbottema commented 2 months ago

Changes:

Dependencies:

Spring 5.3.27 -> 5.3.34
Spring Boot 2.5.15 -> 2.7.18
commons-io 2.7 -> 2.11.0
utils-mail-smime 2.3.1 -> 2.3.3
- org.bouncycastle:bcjmail-jdk15to18 1.75 -> org.bouncycastle:bcjmail-jdk18on 1.78.1
ical4j 2.2.4 -> ical4j-vcard 2.0.0-beta2

Other:

Junit 4 -> Junit 5 (including Mockito, AssertJ and got rid of Powermock)
maven-surefire-plugin 2.19.1 -> 3.2.5

bbottema commented 2 months ago

v8.9.0 was released to Maven Central!

bbottema / simple-java-mail

[security] Update 3rd party dependencies to get rid of all currently known CVE issues #507

Hijacking this issue as placeholder for security upgrade.

Changes: