From f3713d1f39d2e92f299f4a2349c368defc99ad05 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 12:14:31 +0100 Subject: [PATCH] chore: Fix transitive vulnerability in jackson Set the minimum version to 2.15.0. Version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400. A gradle constraint does not fix the version, just sets a minimum version: https://www.linen.dev/s/gradle-community/t/22694678/hi-snyk-has-revealed-that-some-deeply-nested-transitive-depe#e46476e5-70e1-49a7-a72f-fa5453374e42 --- build.gradle | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/build.gradle b/build.gradle index 97adbcf..a0000a5 100644 --- a/build.gradle +++ b/build.gradle @@ -62,6 +62,12 @@ dependencies { implementation "org.bitbucket.b_c:jose4j:$versions.jose4j" implementation 'org.apache.commons:commons-lang3:3.17.0' implementation 'commons-codec:commons-codec:1.17.1' + + constraints { + implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') { + because 'version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400' + } + } } shadowJar {