weavejester
commented
1 month ago I've updated the dependency, thanks for pointing this out. The vulnerabilities shouldn't affect ring-webjars, however, as no client data ever touches the webjar methods.
Closed metametadata closed 1 month ago
weavejester
commented
1 month ago I've updated the dependency, thanks for pointing this out. The vulnerabilities shouldn't affect ring-webjars, however, as no client data ever touches the webjar methods.
metametadata
commented
1 month ago Thank you!
org.webjars/webjars-locator 0.27depends onorg.apache.commons/commons-compress 1.9which has 6 direct vulns (e.g. see at https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.9).Can be fixed by bumping from
0.27to0.52. AFAIU, this would also solve https://github.com/weavejester/ring-webjars/issues/8.