Latest available version of converter-gson artifact contains security vulnerability transitively.

[TWiStErRob]

What kind of issue is this?

• [x] Feature Request.

https://devhub.checkmarx.com/cve-details/CVE-2022-25647/

Since Retrofit's last release 2.9.0 (2020) there have been some dependency updates:

• GSON 2.8.5 → 2.8.7
• GSON 2.8.7 → 2.8.9
• GSON 2.8.9 → 2.9.0
• GSON 2.9.0 → 2.10.1

among a ton of other maintenance and fixes, but there was no release of Retrofit.

Are there plans to release a new version?

[JakeWharton]

We will release when we release. This library has not been a priority recently, but is otherwise stable and working.

In general, both in the past over the history of the project and in the future, we will never do a release to solely address an issue bump for a transitive dependency. Those come along for the ride with new features and bug fixes within this library.

If you want a version newer than we can provide them then I would recommend a sibling dependency declaration with the newer version. This relies on normal Gradle dependency resolution semantics to resolve to the newer version and allows tools like Renovate to update your version when newer ones are available. If the library provides binary compatibility guarantees, as almost all should within a major version, Retrofit's converters and adapters will continue to work just fine.

[TWiStErRob]

to solely address an issue bump for a transitive dependency

Of course, this is issue is just one tiny reason in addition to the 3 years of maintenance updates and enhancements.

[JakeWharton]

Yes this is not the only vulnerability in a transitive dependency. Unfortunately the project isn't quite in a state that I'm comfortable releasing so it requires some time to get back to a releasable state.