Closed metametadata closed 1 month ago
org.webjars/webjars-locator 0.27 depends on org.apache.commons/commons-compress 1.9 which has 6 direct vulns (e.g. see at https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.9).
org.webjars/webjars-locator 0.27
org.apache.commons/commons-compress 1.9
Can be fixed by bumping from 0.27 to 0.52. AFAIU, this would also solve https://github.com/weavejester/ring-webjars/issues/8.
0.27
0.52
I've updated the dependency, thanks for pointing this out. The vulnerabilities shouldn't affect ring-webjars, however, as no client data ever touches the webjar methods.
Thank you!
org.webjars/webjars-locator 0.27
depends onorg.apache.commons/commons-compress 1.9
which has 6 direct vulns (e.g. see at https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.9).Can be fixed by bumping from
0.27
to0.52
. AFAIU, this would also solve https://github.com/weavejester/ring-webjars/issues/8.