Merge pull request #51 from TechnologyBrewery/50-commons-compress-vuln

#50 ⬆️ upgrade commons-compress to resolve vulnerability
TechnologyBrewery · Feb 13, 2024 · a74ddd0 · a74ddd0
2 parents d212d38 + 7740454
commit a74ddd0
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/fermenter-mda/pom.xml b/fermenter-mda/pom.xml
@@ -121,13 +121,21 @@
         <dependency>
             <groupId>org.apache.maven.plugin-testing</groupId>
             <artifactId>maven-plugin-testing-harness</artifactId>
-            <version>4.0.0-alpha-1</version>
+            <version>4.0.0-alpha-2</version>
             <scope>test</scope>
         </dependency>
         <!--
             NB:Should get pulled from maven-plugin-testing-harness, but temporarily being specified directly to resolve
             CVE-2023-37460.  Can be retired when maven-plugin-testing-harness uses plexus-archiver >= 4.8.0.
+
+            commons-compress likely can also go at that point, as the following block is to override the version that
+            comes with plexus-archiver 4.8.0 and has vulnerabilities.
           -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.25.0</version>
+        </dependency>
         <dependency>
             <groupId>org.codehaus.plexus</groupId>
             <artifactId>plexus-archiver</artifactId>