[Vulnerability] parsson 1.0.0: Denial of Service due to large number parsing (CVE-2023-4043)

[svor]

openvsx-server uses parsson-1.0.0 that has CVE-2023-4043.

In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.

+--- org.springframework.boot:spring-boot-starter-data-elasticsearch -> 3.1.0
|    +--- org.springframework.boot:spring-boot-starter:3.1.0 (*)
|    \--- org.springframework.data:spring-data-elasticsearch:5.1.0
|         +--- org.springframework:spring-context:6.0.9 (*)
|         +--- org.springframework:spring-tx:6.0.9 (*)
|         +--- org.springframework.data:spring-data-commons:3.1.0 (*)
|         +--- co.elastic.clients:elasticsearch-java:8.7.0 -> 8.7.1
|         |    +--- org.elasticsearch.client:elasticsearch-rest-client:8.7.1
|         |    |    +--- org.apache.httpcomponents:httpclient:4.5.13 -> 4.5.14
|         |    |    |    +--- org.apache.httpcomponents:httpcore:4.4.16
|         |    |    |    \--- commons-codec:commons-codec:1.11 -> 1.15
|         |    |    +--- org.apache.httpcomponents:httpcore:4.4.13 -> 4.4.16
|         |    |    +--- org.apache.httpcomponents:httpasyncclient:4.1.5
|         |    |    +--- org.apache.httpcomponents:httpcore-nio:4.4.13 -> 4.4.16
|         |    |    \--- commons-codec:commons-codec:1.15
|         |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    +--- jakarta.json:jakarta.json-api:2.0.1 -> 2.1.1
|         |    \--- org.eclipse.parsson:parsson:1.0.0