trcoelho
commented
6 months ago Hello, any updates on this?
Thanks.
Closed trcoelho closed 4 months ago
trcoelho
commented
6 months ago Hello, any updates on this?
Thanks.
OlgaMaciaszek
commented
4 months ago Hello @trcoelho, thanks for creating the issue. As you can read in https://spring.io/security-policy#vulnerable-dependency-versions
we do not consider it a vulnerability in Spring when Spring defines a vulnerable dependency version,
because developers can override these versionsMoreover, these are all transitive dependencies. To give you more details, guava is brought about by MockServer Java Client, which is already set to the current version - we can upgrade it here if there's an upgrade in that project; xstream comes from Netflix/eureka, which is also not our repo, however, we collaborate with that team extensively, so I have created a PR with the upgrade: https://github.com/Netflix/eureka/pull/1552 - once they merge it and release it, we can upgrade it here. We get the version of woodstox from jackson-dataformat-xml and we get the version of that from Boot, but Boot is currently at the highest version for the major-minor line and a swap to another one won't be done in a patch release.
Describe the bug Either
com.google.guava:guava:jar:19.0com.thoughtworks.xstream:xstream:jar:1.4.19com.fasterxml.woodstox:woodstox-core:jar:6.2.1dependencies got vulnerabilities in versions.
https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.19 https://mvnrepository.com/artifact/com.google.guava/guava/19.0 https://mvnrepository.com/artifact/com.fasterxml.woodstox/woodstox-core/6.2.1
Is there any plan to update these on next versions?
Thank you.