DMC/scipro
7
0
Fork 0
Code Issues 28 Pull Requests 6 Actions Projects 1 Wiki Activity

Fix CVE-2024-57699 by override transitive dependency version #116

Merged
niat8586 merged 1 commits from update-json-smart into develop 2025-02-20 14:32:01 +01:00
Conversation 2 Commits 1 Files Changed 1 +20
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pom.xml
View File

@ -39,6 +39,12 @@
<jersey.version>3.1.6</jersey.version> <jersey.version>3.1.6</jersey.version>
<poi.version>5.2.5</poi.version> <poi.version>5.2.5</poi.version>
<jackson.version>2.17.0</jackson.version> <jackson.version>2.17.0</jackson.version>
<!--
When updating spring-boot check if the transitive dependency on json-smart has been
updated to 2.5.2 or later.
If so, remove the dependency managed version of json-smart
-->
<spring.boot.version>3.4.1</spring.boot.version> <spring.boot.version>3.4.1</spring.boot.version>
<springdoc.openapi.version>2.8.3</springdoc.openapi.version> <springdoc.openapi.version>2.8.3</springdoc.openapi.version>
@ -213,6 +219,20 @@
<version>2.0.2</version> <version>2.0.2</version>
<scope>runtime</scope> <scope>runtime</scope>
</dependency> </dependency>
<dependency>
<!--
2.5.1 is brought in transitively by
spring-boot-starter-oauth2-client
spring-security-oauth2-client
oauth2-oidc-sdk
json-smart
it has a known security vulnerability that's fixed in 2.5.2
should be removed when spring-boot-starter-oauth2-client is updated
-->
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>2.5.2</version>
</dependency>
<!-- Test stuff --> <!-- Test stuff -->
<dependency> <dependency>