There is a complex dependency chain which goes from spring-cloud-deployer-resource-maven to parent build modules via parents and dependency management. Looks like this doesn't work in this case. Might be misunderstanding or just usual maven hell.
Should try to figure out where to force commons-io version. It's either on this repo or in spring-cloud-dataflow-build.
Essentially looking if user does something in maven/gradle:
jvalkeal
commented
2 years ago
There's a
wagon-httpinspring-cloud-deployer-resource-mavenwhich pullscommons-io2.6 which have a cve in it.We have overridden this in https://github.com/spring-cloud/spring-cloud-dataflow-build/blob/f0d74f04f69aff8c16032c3aaf0885b230d82430/spring-cloud-dataflow-build-dependencies/pom.xml#L26 so that within dataflow build we get
commons-io2.7. However if you directly just depend onspring-cloud-deployer-resource-mavenlooks like you getcommons-io2.6.There is a complex dependency chain which goes from
spring-cloud-deployer-resource-mavento parent build modules via parents and dependency management. Looks like this doesn't work in this case. Might be misunderstanding or just usual maven hell.Should try to figure out where to force
commons-ioversion. It's either on this repo or inspring-cloud-dataflow-build.Essentially looking if user does something in maven/gradle:
or