retrofit icon indicating copy to clipboard operation
retrofit copied to clipboard

Published 20 hours ago verified publisher icon square

Vulnerabilities from dependencies: CVE-2020-8908 CVE-2020-15250

Open BoltUIX opened this issue 3 years ago • 5 comments

Vulnerabilities from dependencies: CVE-2020-8908 CVE-2020-15250

Ref https://mvnrepository.com/artifact/com.squareup.retrofit2/retrofit/2.9.0

Plz fix

BoltUIX avatar Mar 28 '22 04:03 BoltUIX

Feel free to send pull requests for both version bumps. Note that we do not use the affected Guava method and we don't ship JUnit so neither of these are really a problem.

JakeWharton avatar Mar 28 '22 12:03 JakeWharton

on your jackson converter however there are two vulnerabilities CVE-2020-36518 CVE-2020-25649

When are you planning on releasing the next version?

ProIcons avatar Apr 05 '22 18:04 ProIcons

There is no current timeline for a new release. As always, our recommendation is to not rely on our transitive dependencies and to maintain up-to-date versions as part of your build. We will never do releases to track dependency updates.

JakeWharton avatar Apr 05 '22 19:04 JakeWharton

OkHttp CVE-2021-0341

This was fixed in OkHttp 4.x while retrofit is still on 3.x. I'm personally not comfortable upgrading a major version of a transitive dependency.

florensie avatar Jun 14 '22 14:06 florensie

OkHttp 4.x maintains binary compatibility with 3.x. We will not be bumping our version to 4.x at this time.

JakeWharton avatar Jun 14 '22 14:06 JakeWharton

Guava, JUnit, and Jackson have all been updated on master. No further action to take.

JakeWharton avatar Jan 25 '24 16:01 JakeWharton