search

spring-cloud / spring-cloud-netflix

Integration with Netflix OSS components
http://cloud.spring.io/spring-cloud-netflix/
Apache License 2.0
4.87k stars 2.44k forks source link

eureka-client and xstream version need update #4025

Closed nibiwodong closed 3 years ago

nibiwodong commented 3 years ago

Describe the bug spring-cloud-netflix 3.03 use eureka-client 1.10.14 https://github.com/spring-cloud/spring-cloud-netflix/blob/v3.0.3/spring-cloud-netflix-dependencies/pom.xml

eureka-client has been released 1.10.16 and update xstream version to 1.4.17 However xstream version still have vul : https://github.com/Netflix/eureka/issues/1421

eureka-client main brench has update xstream version to 1.4.18, but have not been released new version. https://github.com/Netflix/eureka/blob/master/eureka-client/build.gradle

Holp spring-cloud-netflix concern eureka-client's release note and update eureka-client as soon as possible.

By the way, is github dependabot still running?

OlgaMaciaszek commented 3 years ago

@nibiwodong Thanks for catching this. Will upgrade the dependencies. Dependabot alerts are enabled in this repo - not sure why we did not receive a notification for this.