Closed andreikrutsko closed 10 months ago
Hello,
What's strange here, is that I can't see the vulnerability on github or on the maven repository.
The upgrade for plexus-utils
will be available in the next version : As this dependency is only used for the code generation (not for the code execution), I don't see this vulnerability as critical.
I have a question about the extract of your pom, that you provided. Why is graphql-maven-plugin
in a dependency
tag ? It should be in a plugin
, like below.
In the meanwhile, if it's important for you, you can change your pom to add the CVE free version of plexus-utils
, like this:
<plugin>
<groupId>com.graphql-java-generator</groupId>
<artifactId>graphql-maven-plugin</artifactId>
<version>2.3.2</version>
<configuration>
...
</configuration>
<dependencies>
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.0.24</version>
</dependency>
</dependencies>
</plugin>
It is not there but analyzer some how finds and reports that. And yes, we've already updated and specified plexus-utils directly. Might be closed as fixed and version updated. Many thanks for support!!!
Not sure if it possible due to compatibility. But it would be very appreciated to try to upper plexus-utils version to [3.0.24]+ (or higher)