Upgrade transitive dependency protobuf-java to fix security vulnerability

pulumi / pulumi-java

Java support for Pulumi

Apache License 2.0

69 stars 21 forks source link

Upgrade transitive dependency protobuf-java to fix security vulnerability #1440

Closed cowwoc closed 1 hour ago

cowwoc commented 1 week ago

What happened?

IntelliJ reports that Pulumi 0.16.1 depends on a vulnerable version of protobuf-java: https://osv.dev/vulnerability/GHSA-735f-pc8j-v9w8

Example

N/A

Output of `pulumi about`

N/A

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

cowwoc commented 1 week ago

Workaround:

<dependency>
    <groupId>com.pulumi</groupId>
    <artifactId>pulumi</artifactId>
    <version>0.16.1</version>
    <exclusions>
        <exclusion>
            <groupId>com.google.protobuf</groupId>
            <artifactId>protobuf-java</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>com.google.protobuf</groupId>
    <artifactId>protobuf-java</artifactId>
    <version>4.28.3</version>
</dependency>

justinvp commented 1 week ago

Thanks for the heads-up, @cowwoc!