Consider releasing new version to resolve JGit issue #394

ciscoo · 2023-10-19T15:31:22Z

Several of my company's build started failing due CVE-2023-4759 which was flagged by our internally hosted IQ Server.

None of our projects directly depend on JGit, but instead it is a transitive dependency from Gradle plugins such as gradle-git-publish and com.diffplug.spotless.

This is easily resolved using a constraint such as:

buildscript {
    dependencies {
        constraints {
            classpath("org.eclipse.jgit:org.eclipse.jgit") {
                version {
                    strictly("6.7.0.202309050840-r")
                }
            }
        }
    }
}

However, I think it would be better if a new version of this library was released since rich versions are used, so it should pick up the latest version when built/published.

The text was updated successfully, but these errors were encountered:

Testing against Java 21 and Gradle 8.4 Also updates to latest JGit, which resolves #394.

ajoberstar added a commit that referenced this issue Oct 21, 2023

Update Gradle and dependencies

d9d1e91

Testing against Java 21 and Gradle 8.4 Also updates to latest JGit, which resolves #394.

ajoberstar added a commit that referenced this issue Oct 21, 2023

Update Gradle and dependencies

b619dcc

Testing against Java 21 and Gradle 8.4 Also updates to latest JGit, which resolves #394.

ajoberstar closed this as completed in 7559eb8 Oct 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Consider releasing new version to resolve JGit issue #394

Consider releasing new version to resolve JGit issue #394

ciscoo commented Oct 19, 2023

Consider releasing new version to resolve JGit issue #394

Consider releasing new version to resolve JGit issue #394

Comments

ciscoo commented Oct 19, 2023