2025-02-20 14:32:01 +01:00
1 changed files with 20 additions and 0 deletions
--- a/pom.xml
+++ b/pom.xml
@ -39,6 +39,12 @@
        <jersey.version>3.1.6</jersey.version>
        <poi.version>5.2.5</poi.version>
        <jackson.version>2.17.0</jackson.version>
+
+        <!--
+            When updating spring-boot check if the transitive dependency on json-smart has been
+            updated to 2.5.2 or later.
+            If so, remove the dependency managed version of json-smart
+        -->
        <spring.boot.version>3.4.1</spring.boot.version>
        <springdoc.openapi.version>2.8.3</springdoc.openapi.version>

@ -213,6 +219,20 @@
                <version>2.0.2</version>
                <scope>runtime</scope>
            </dependency>
+            <dependency>
+                <!--
+                2.5.1 is brought in transitively by
+                  spring-boot-starter-oauth2-client
+                    spring-security-oauth2-client
+                      oauth2-oidc-sdk
+                        json-smart
+                it has a known security vulnerability that's fixed in 2.5.2
+                should be removed when spring-boot-starter-oauth2-client is updated
+                -->
+                <groupId>net.minidev</groupId>
+                <artifactId>json-smart</artifactId>
+                <version>2.5.2</version>
+            </dependency>

            <!-- Test stuff -->
            <dependency>