miikka
commented
4 years ago My thought is: it won't help, because scjsv 0.6.0 still transitively depends on Guava 16.0.1. However, if we created a new release of scjsv that depended on json-schema-validator 2.2.13, that would bring in an up-to-date version of Guava and fix the problem.
While you wait for this to happen, if you want to mitigate CVE-2018-10237 or any other issue, I recommend directly depending on up-to-date versions of libraries. Upgrading deps and making a new release is still a manual process for us, so it may take a while. 😐
Hi, and first of all, thanks for working on
ring-swagger!I noticed that the
ring-swagger:0.26.2's dependencymetosin:scjsv:0.5.0depends oncom.github.java-json-tools:json-schema-validator:jar:2.2.10, which in turn transitively depends oncom.google.guava:guava:jar:16.0.1. Said Guava version is affected by the vulnerability CVE-2018-10237.One way to fix the security issue in
ring-swagger:0.26.2may be to upgrademetosin:scjsv. Any thoughts on this?