Library versions with known CVEs

jdiazcano / cfg4k

Flexible and easy to use config library written in kotlin

Apache License 2.0

80 stars 6 forks source link

Library versions with known CVEs #70

Closed rocketraman closed 2 years ago

rocketraman commented 2 years ago

There are libraries with known CVEs in the published version of cfg4k -- mainly the s3 dependency brings in older versions of jackson and httpclient, and the jgit dependency also brings in an older version of httpclient.

This is fixed on my branch here: https://github.com/rocketraman/cfg4k/tree/library-updates-security.

jdiazcano commented 2 years ago

Hello!

As you can see I don't really have that much time anymore and I don't know when I will have that time so if you want to continue supporting it that would be great.

If you wish, I will update this repository so it points to your fork!

rocketraman commented 2 years ago

Ok @jdiazcano , I think adding a note in the README to point to my fork makes sense for now at least. Thanks!