Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force apache commons-codec to 1.15 #240

Merged
merged 1 commit into from
Jul 1, 2022
Merged

Force apache commons-codec to 1.15 #240

merged 1 commit into from
Jul 1, 2022

Conversation

breedx-splk
Copy link
Contributor

Mitigates https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518

It sucks to do it this way, but it looks like the v4.x release of httpclient hasn't yet been updated (see the bottom comment from 6 months ago) https://issues.apache.org/jira/browse/HTTPCLIENT-2072

@breedx-splk breedx-splk requested review from a team as code owners June 30, 2022 23:51
@mateuszrzeszutek mateuszrzeszutek merged commit 2a34f4b into main Jul 1, 2022
@mateuszrzeszutek mateuszrzeszutek deleted the common_codec_1_15 branch July 1, 2022 06:45
laurit
laurit reviewed Jul 1, 2022
View reviewed changes
signalfx-java/pom.xml
<!-- Temp work-around until httpclient upgrades its codec version -->
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.15</version>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you don't need to add the version number here, having it in the parent pom is enough. None of the other dependencies in this file add a version number. Another option is to not add this dependency here at all, having it in parent is sufficient.

laurit
laurit reviewed Jul 1, 2022
View reviewed changes
pom.xml
@@ -155,6 +155,12 @@
<artifactId>commons-io</artifactId>
<version>2.11.0</version>
</dependency>
<dependency>
<!-- Temp work-around until httpclient upgrades its codec version -->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this comment is a bit misleading. last release from 4.5.x series of http client was in 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laurit laurit laurit left review comments

@mateuszrzeszutek mateuszrzeszutek mateuszrzeszutek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@breedx-splk @laurit @mateuszrzeszutek