Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update vulnerable dependencies to latest compatible versions #114

Merged
merged 1 commit into from
Nov 9, 2023
Merged

Update vulnerable dependencies to latest compatible versions #114

merged 1 commit into from
Nov 9, 2023

Conversation

irdcat
Copy link
Contributor

@irdcat irdcat commented Nov 8, 2023

What is the purpose of the change

My team wants to use this plugin in our everyday work, however our company have very strict policy about using IntelliJ plugins and one of the requirements is that it must pass BlackDuck scan by not having any dependencies which introduce a Security Risk.
Latest released version 213.5.3 had following vulnerable dependencies:

High Security Risk:

  • Apache Avro 1.11.1 - Transitive dependency of Avro Compiler 1.11.1
  • JSON-java 20230227

Medium Security Risk:

  • Jackson-databind 2.14.0 - Transitive dependency of Avro Compiler 1.11.1

No Security Risk, but Operational Risk (Medium or lower):

  • Apache Velocity Engine 2.3 - Transitive dependency of Avro Compuler 1.11.1 (No remedy at this moment, but it doesn't pose a Security Risk according to BlackDuck)
  • Github API for Java 1.314
  • Apache Commons Text 1.10.0
  • Apache Commons Lang 3.12.0 - Transitive dependency of Apache Avro Compiler 1.11.1, Apache Commons Text 1.10.0, Apache Velocity Engine 2.3 and Github API for Java 1.314
  • Apache Commons Compress 1.21 - Transitive dependency of Apache Avro 1.11.1
  • Apache Commons IO 2.8.0 - Transitive dependency of Github API for Java 1.314
  • jackson-core 2.14.0 - Transitive dependency of Apache Avro 1.11.1
  • jackson-annotations 2.14.0 - Transitive dependency of jackson-databind 2.14.0
  • Apache Avro Compiler 1.11.1

Note: Most important for BlackDuck is Security Risk, however I've updated as much as I could to avoid the situation that something will come back at us.

Verifying this change

I've verified this change by executing tests that are in the project.

@irdcat
Copy link
Contributor Author

irdcat commented Nov 8, 2023

For some reason my fork didn't picked up latest changes in the main branch. I'll fix that.

@opwvhk
Copy link
Owner

opwvhk commented Nov 9, 2023

Thank you for your PR. Some changes were already picked up (but not yet released), but there's still some left. Time for a new release, I guess.

@opwvhk opwvhk merged commit e0ba58e into opwvhk:main Nov 9, 2023
2 checks passed
@irdcat
Copy link
Contributor Author

irdcat commented Nov 9, 2023

@opwvhk Do you have any specific time frame in mind for the new release?

@opwvhk
Copy link
Owner

opwvhk commented Nov 9, 2023

The release is currently pending JetBrains approval

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@irdcat @opwvhk