Open wborn opened 1 year ago
Librato is no longer maintained. We should move away from it.
That said, given that the Librato-reporter as used only serialises json, and doesn't de-serialise client-generated json, the vulnerabilities can't be triggered.
The moquette-broker:0.15 artifact has a transitive dependency through librato-java:2.1.0 on Jackson 2.8.8 which has many known vulnerabilities:
It shows up in IntelliJ IDEA like this:
Dependency tree: