Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a safe version of maven-shared-utils #18189

Merged
merged 1 commit into from
Jun 28, 2021
Merged

Use a safe version of maven-shared-utils #18189

merged 1 commit into from
Jun 28, 2021

Conversation

aloubyansky
Copy link
Member

Fixes #18050

@quarkus-bot quarkus-bot bot added the area/devtools Issues/PR related to maven, gradle, platform and cli tooling/plugins label Jun 28, 2021
@gsmet gsmet added the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 28, 2021
@famod
Copy link
Member

famod commented Jun 28, 2021

FWIW, this should be part of the next Maven 3.8.x version (WIP).

@aloubyansky
Copy link
Member Author

@famod do you know version are they going to include? Is it 3.3.3, 3.3.4 or later?

@famod
Copy link
Member

famod commented Jun 28, 2021

@aloubyansky the latest one, I hope. But it's still WIP, see latest messages here: https://lists.apache.org/thread.html/r72100477e39a12d2a66239d4c625d91cb9bcc8add72d2f910ce5ec26%40%3Cdev.maven.apache.org%3E

@aloubyansky
Copy link
Member Author

Thanks. Reading https://issues.apache.org/jira/browse/MNG-7177, it seems like it's not entirely safe at least for the full blown Maven to use 3.3.4. I'll keep 3.3.3 for now. Once we upgrade to a Maven version that contains the fix, we can remove this constraint from our BOM.

@famod
Copy link
Member

famod commented Jun 28, 2021

Makes sense, given that Jansi 2 seems to cause backporting issues and given that this was bumped in 3.3.4 (but not yet in 3.3.3).

@quarkus-bot
Copy link

quarkus-bot bot commented Jun 28, 2021

Failing Jobs - Building 94d8a01

Status Name Step Test failures Logs Raw logs
JVM Tests - JDK 11 Build ⚠️ Check → Logs Raw logs
✔️ JVM Tests - JDK 16

@aloubyansky aloubyansky merged commit 27d0598 into quarkusio:main Jun 28, 2021
@quarkus-bot quarkus-bot bot added this to the 2.1 - main milestone Jun 28, 2021
@quarkus-bot quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jun 28, 2021
@gsmet gsmet modified the milestones: 2.1 - main, 2.0.1.Final Jun 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gsmet gsmet gsmet approved these changes

Assignees
No one assigned
Labels
area/devtools Issues/PR related to maven, gradle, platform and cli tooling/plugins
Projects
None yet
Milestone
2.0.1.Final
Development

Successfully merging this pull request may close these issues.

[email protected] Security Vulnerability: Command Injection
3 participants
@aloubyansky @famod @gsmet