it looks like spark-template-velocity 2.7.1 depends on velocity 1.7, which in turn depends on commons-collections 3.2.1. That lib is vulnerable (reference), and got picked up by a security review of a project.
Any chance that package could be rebuilt with a newer Velocity? If not, you might want to pull it altogether.
toyg
commented
5 years ago
it looks like spark-template-velocity 2.7.1 depends on velocity 1.7, which in turn depends on commons-collections 3.2.1. That lib is vulnerable (reference), and got picked up by a security review of a project.
Any chance that package could be rebuilt with a newer Velocity? If not, you might want to pull it altogether.