ben-manes
commented
1 year ago That is a deserialization attack, we are serializing to xml which is very safe. The upgrade is in master (https://github.com/ben-manes/gradle-versions-plugin/pull/751) and you can use version constraints to manage transitives in your build, so nothing is needed for now.
xstream has some vulnerabilities which have been fixed in 1.4.20 (https://x-stream.github.io/changes.html).