Address commons-io vuln

technomancy / leiningen

Moved to Codeberg; this is a convenience mirror

https://codeberg.org/leiningen/leiningen

Other

7.29k stars 1.61k forks source link

Address commons-io vuln #2822

Closed metametadata closed 1 month ago

metametadata commented 1 month ago

Grype detects the next vuln in root/.lein/self-installs/leiningen-2.11.2-standalone.jar:

NAME                        INSTALLED                FIXED-IN  TYPE          VULNERABILITY        SEVERITY
commons-io                  2.8.0                    2.14.0    java-archive  GHSA-78wr-2p64-hpwj  High

Would be nice to update Lein to not trigger this report.

technomancy commented 1 month ago

This isn't relevant to Leiningen's use of commons-io, which does not operate on untrusted input. If an attacker can replace XML in a repository you read from, they can do much worse than consume CPU!

metametadata commented 1 month ago

I understand, it's common case with vulns that they are unreachable. But why not bump the dep simply to get rid of this report in all the consumers' automated pipelines?