Closed scottkennedy closed 8 months ago
Does the report list both versions?
The report from dependency-check-gradle
only lists 2.8.5. Everything in the Gradle dependency graph shows it's resolved to 2.10.1.
Hmm I added a constraint, and it resolved this. So, never mind.
I'm seeing a reported issue with
gson-2.8.5.jar
,with:
But the dependency graph has:
Due to a newer version of gson being included elsewhere, Gradle is resolving that old transitive dependency to 2.10.1, and including that in the build.
Every gson line in the dependency graph is
com.google.code.gson:gson:2.8.5 -> 2.10.1
. I can't see any actual instance of 2.8.5 being included in the build.