google-oss-bot
commented
1 month ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
Closed sebphil closed 1 month ago
google-oss-bot
commented
1 month ago I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
kmagnusjohansson
commented
1 month ago I agree this wrongly scoped dependency should be removed and a new release should be created asap.. not only is it in the wrong scope it is also flagged with a CVE stopping our local pipelines (CVE-2021-32827) , how did it even get through?
timpeeters
commented
1 month ago I've created #1018 to (at least) move it to test scope already.
The 9.4.0 release has a dependency to org.mock-server:mockserver-junit-rule-no-dependencies:5.14.0 which is lacking the 'test' scope, therefore it is pulled alongside the firebase-admin dependency. This causes an issue with the SLF4J library because of the org.slf4j.helpers.NOPLoggerFactory included in this incorrect dependency taking precedence over the Logback LoggerFactory.