Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulnerabilities #7

Closed
blakeghowe opened this issue Jul 12, 2022 · 2 comments · Fixed by #10
Closed

Security Vulnerabilities #7

blakeghowe opened this issue Jul 12, 2022 · 2 comments · Fixed by #10
Assignees
@dmatej
Milestone
2.1.0

Comments

@blakeghowe
Copy link

blakeghowe commented Jul 12, 2022
edited
Loading

There are security vulnerabilities with the following transitive dependencies
• Group: org.apache.struts Artifact: struts-core Version: 1.3.8
• Group: org.apache.velocity Artifact: velocity Version: 1.7

Unfortunately, there is no way to override with a higher version of these dependencies since there isn't one available. Is there a suggested workaround so I can avoid using these dependencies?

It looks like to fix the issue, you need to switch to struts2-core and velocity-engine-core.
@dmatej dmatej self-assigned this Jul 13, 2022
@dmatej
Copy link
Member

dmatej commented Jul 13, 2022

That should be reported rather to Maven developers as it is a dependency of Maven project, see https://mvnrepository.com/artifact/org.apache.maven.plugin-tools/maven-plugin-tools-generators/3.6.4
I am not sure if I can just exclude part of the tree without breaking something.

@dmatej dmatej linked a pull request Jul 13, 2022 that will close this issue
Updates of dependencies #10
Merged
@dmatej
Copy link
Member

dmatej commented Jul 13, 2022

Both dependencies were excluded - mvn clean install and mvn clean site passed.

@dmatej dmatej added this to the 2.1.0 milestone May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmatej dmatej

Labels
None yet
Projects
None yet
Milestone
2.1.0
Development

Successfully merging a pull request may close this issue.

Updates of dependencies mojohaus/native2ascii-maven-plugin
2 participants
@dmatej @blakeghowe