Dependabot reports Security vulnerabilities

slackapi / java-slack-sdk

Slack Developer Kit (including Bolt for Java) for any JVM language

https://slack.dev/java-slack-sdk/

MIT License

571 stars 213 forks source link

Dependabot reports Security vulnerabilities #1198

Closed MeikeMertschFortum closed 10 months ago

MeikeMertschFortum commented 1 year ago

Hi!

When importing com.slack.api:bolt-jetty:1.30.0 to my project, Dependabot started warning about possible security issues. Could you update the versions of

com.squareup.okhttp3:okhttp (contains the okio lib) and
org.eclipse.jetty:jetty-webapp (contains the jetty-xml lib), please?

The Slack SDK version

com.slack.api:bolt-jetty:1.30.0

Dependency tree

Issue descriptions by Dependabot

seratch commented 1 year ago

Hi @MeikeMertschFortum, thanks for taking the time to report this! We will upgrade okhttp and its underlying okio in future releases like we have been doing. However, it seems jetty 9.4.51 is the latest version in 9.x series. If you needs to use a newer veresion, you may want to switch to bolt-jakarta-jetty library, which is compatible with jetty 11.x series.

kamilgregorczyk commented 12 months ago

Hello @seratch , looks like the vulnerabilities are still there https://mvnrepository.com/artifact/com.slack.api/slack-api-client/1.32.1 is there a plan to update the slack-api-client anytime soon ? Or is there a replacement for it ?

seratch commented 12 months ago

@kamilgregorczyk The old versions of Jetty libraries are "test" dependencies, which are used only in unit tests for the slack-api-client library itself. Therefore, it does not affect your app code at all.

seratch commented 10 months ago

The latest release does not have any issues mentioned here: https://github.com/slackapi/java-slack-sdk/releases/tag/v1.35.0 Let me close this issue now.