Require nimbus-jose-jwt 9.37.1 which fixes CVE-2021-31684 and CVE-202…

…3-1370 by using a newer shaded version of json-smart. (#3720) Signed-off-by: David Venable <[email protected]>
opensearch-project · Nov 30, 2023 · 048263f · 048263f
1 parent 1af1ce9
commit 048263f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -16,6 +16,15 @@ dependencies {
     implementation 'org.apache.parquet:parquet-common:1.13.1'
     implementation 'org.apache.parquet:parquet-hadoop:1.13.1'
     testImplementation project(':data-prepper-test-common')
+
+    constraints {
+        implementation('com.nimbusds:nimbus-jose-jwt') {
+            version {
+                require '9.37.1'
+            }
+            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+    }
 }
 
 test {

diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
@@ -31,6 +31,15 @@ dependencies {
     testImplementation testLibs.slf4j.simple
     testImplementation 'software.amazon.awssdk:s3-transfer-manager'
     testImplementation 'software.amazon.awssdk.crt:aws-crt:0.25.0'
+
+    constraints {
+        implementation('com.nimbusds:nimbus-jose-jwt') {
+            version {
+                require '9.37.1'
+            }
+            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+    }
 }
 
 test {