mustangproject icon indicating copy to clipboard operation
mustangproject copied to clipboard

Published 20 hours ago verified publisher icon ZUGFeRD

Update vulnerable libraries

Open uwemock opened this issue 2 years ago • 4 comments

org.mustangproject:library is reported to contain the following dependencies that have known vulnerabilities:

com.fasterxml.jackson.core:jackson-databind:2.13.0 org.assertj:assertj-core:2.9.0

Please update.

uwemock avatar May 11 '22 18:05 uwemock

Hi, I upgraded xmlunit-assertj from 2.6.3 to 2.9.0 in validator, where did you find the com.fasterxml.jackson.core:jackson-databind:2.13.0? I only see a 2.13.2.1 in the library pom.

jstaerk avatar May 12 '22 07:05 jstaerk

See library-2.5.0.jar/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/

uwemock avatar May 12 '22 19:05 uwemock

The com.fasterxml.jackson.core:jackson-databind:2.13.0 report is gone now. However, the org.assertj:assertj-core:2.9.0 report remains.

Do you use XMLUnit for testing purposes so the assertj dependency comes in? I wonder why you would require the library in the JAR.

uwemock avatar May 13 '22 18:05 uwemock

upgraded from 2.6.3 to 2.9.0

jstaerk avatar Aug 11 '22 11:08 jstaerk

@uwemock could you please confirm this is closed in the most recent Release? Thanks

jstaerk avatar Sep 12 '22 08:09 jstaerk

Looks good

uwemock avatar Sep 16 '22 06:09 uwemock