Open binkley opened 3 months ago
Regarding each in turn
org.eclipse.jgit-6.7.0.202309050840-r.jar
we've got to make some changes to adapt to a new API after this (#1949), a new JGit (6.10
) is supposed to come out any day now, so that'll be a good timeorg.eclipse.osgi-3.18.300.jar
: this should be trivial to bumpplexus-resources-1.2.0.jar
I had been holding this back with the idea of preserving compat, but sure we can bump to 1.3.0
@nedtwigg Sounds like y'all are on top of this already. Again, thanks for considering an Issue that is the result of clear user error. 😄
If you are submitting a bug, please include the following:
gradlew spotless[Apply/Check] --stacktrace
If you're just submitting a feature request or question, no need for the above.
Summary
An accidental discovery: making Spotless a dependency instead of a plugin (yes, it was a mistake) turned up multiple CVEs from DependencyCheck. This tells me 2 things:
Obviously, this is a user goof, however, it tells me that Spotless may need to refresh/update dependencies for the plugins. On the other hand, some of these may be build-only dependencies for the plugin? Either way, there are some outdated dependencies in the plugin.
CVEs with 2.43.0:
My issue post focuses on the Maven plugin. I haven't tried doing the same with the Gradle plugin.
Maven version
3.9.6
Spotless version
2.43.0
OS version
Not relevant, however "Linux Hobbiton 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux" running Ubuntu under WSL2 on Windows 11.
Spotless configuration block
No configuration block provided.
Console output
I wanted to paste the full
./mvnw -X verify
output, however two problems: