Old dependency issue on io.javalin:javalin-parent:5.6.2 for release 5.6.3

[p4paul]

It seems that the 5.6.3 release has a dependency on the parent 5.6.2...

+--- io.javalin.community.ssl:ssl-plugin:5.6.3
|    +--- io.javalin:javalin-parent:5.6.2

Think it is just the hard coded version here... https://github.com/javalin/javalin-ssl/blob/b01a8b7a60f9a63713984febb32d1e76c0d74ffb/build.gradle#L45C20-L45C25

I was checking to see if CVE-2023-33201 was resolved...

+--- io.javalin.community.ssl:ssl-plugin:5.6.3
...
|    \--- io.github.hakky54:sslcontext-kickstart-for-pem:8.1.5
|         +--- io.github.hakky54:sslcontext-kickstart:8.1.5 (*)
|         \--- org.bouncycastle:bcpkix-jdk15on:1.70
|              +--- org.bouncycastle:bcprov-jdk15on:1.70
|              \--- org.bouncycastle:bcutil-jdk15on:1.70
|                   \--- org.bouncycastle:bcprov-jdk15on:1.70

[Hakky54]

The vulnerability comes from bouncy castle. Sslcontext kickstart and javalin are not using that part of bouncy castle, so it is safe to ignore in my opinion. However this vulnerability is resolved when upgrading to version 8.1.7 even the PR https://github.com/javalin/javalin-ssl/pull/109 is open to resolve that issue. So I think if the project maintainer can merge that pr and create a new release it will be resolved

[zugazagoitia]

Whoops seems like I messed up the release 😅 However @Hakky54 is right, we're not affected by the vulnerability. I can't update this artifact but I'll bump it in the next 5.x release.

I'm currently working on a Kotlin refactor for the 6.x release of the plugin and not actively developing the main branch.