Update transitive dependency protobuf-java to fix CVE-2022-3171

2022-10-13 12:13:16 +02:00 · 2022-10-13 12:13:16 +02:00 · ee8ecfc74b
commit ee8ecfc74b
parent ccaa50ad67
1 changed files with 11 additions and 0 deletions
--- a/pom.xml
+++ b/pom.xml
@ -124,8 +124,19 @@
            <dependency>
                <groupId>mysql</groupId>
                <artifactId>mysql-connector-java</artifactId>
+                <!-- when updating check which version of protobuf-java it depends on -->
+                <!-- and upgrade to the appropriate patched version -->
                <version>8.0.30</version>
            </dependency>
+            <dependency>
+                <!-- transitive dependency of mysql-connector-java -->
+                <!-- it depends on version 3.19.4 which has a security vulnerability -->
+                <!-- when updating mysql-connector-java check which version it depends on -->
+                <!-- and upgrade to the appropriate patched version of protobuf-java -->
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>3.19.6</version>
+            </dependency>

            <!--QueryDSL-->
            <dependency>