search

modmuss50 / mod-publish-plugin

A Gradle plugin to publish mods to a range of destinations
https://modmuss50.github.io/mod-publish-plugin/
MIT License
50 stars 7 forks source link

Bump okhttp from 4.10.0 to 4.12.0 to address CVE-2023-3635 #44

Closed Alexander01998 closed 3 weeks ago

Alexander01998 commented 1 month ago

okhttp v4.10.0 depends on okio v3.0.0, which is vulnerable to CVE-2023-3635.

okio versions 3.4.0 and later have patched this vulnerability and okhttp versions 4.12.0 and later depend on patched versions of okio.

I don't think CVE-2023-3635's attack vector is all that relevant to mod-publish-plugin, but it's still a good practice to patch all known vulnerabilities.

This change shouldn't break anything, since okhttp 4.12 is only a minor update, but I guess we'll see if the tests fail on this PR. If it does break stuff, an alternative solution might be to put a dependency constraint on okio while keeping okhttp at v4.10.

modmuss50 commented 1 month ago

Thanks for the PR, as you said I dont believe this affects MPP at all, worse case it would need one of the sites we publish to to return this malformed? gzip data and then it would just crash/fail the build.

Alexander01998 commented 1 month ago

Yeah, if I understand the CVE correctly, basically CurseForge/Modrinth/GitHub would have to be the attacker and then they could make the publish task take forever. Not something that would be all too likely or severe, but it would be nice to get rid of the Dependabot warning when using your plugin.