Upgrade jsoup to 1.15.3 to mitigate against CVE vulnerability #2754

ryanlewis · 2022-11-25T11:28:04Z

Bump jsoup to 1.15.3 to mitigate against CVE-2022-36033.

A quick local test seemed to suggest that simply bumping the version breaks the build, when attempted locally.

IgnatBeresnev · 2022-12-13T03:45:52Z

Thanks for bringing this up and attempting to fix it on your own!

simply bumping the version breaks the build

yeah, Jsoup has the following class:

class Elements extends ArrayList<Element>

and we used Kotlin's List.filter extension on it in tests:

elements.filter { ... }

However, it looks like jsoup 1.15 brings a new method to this class, which interferes with the Kotlin extension:

public Elements filter(NodeFilter nodeFilter) {
    NodeTraversor.filter(nodeFilter, this);
    return this;
}

Fixes #2754

ryanlewis added the enhancement An issue for a feature or an overall improvement label Nov 25, 2022

IgnatBeresnev added a commit that referenced this issue Dec 13, 2022

Bump Jsoup to avoid CVE-2022-36033

e379d3c

Fixes #2754

IgnatBeresnev mentioned this issue Dec 13, 2022

Bump Jsoup to avoid CVE-2022-36033 #2772

Merged

IgnatBeresnev closed this as completed in #2772 Dec 15, 2022

IgnatBeresnev added a commit that referenced this issue Dec 15, 2022

Bump Jsoup to avoid CVE-2022-36033 (#2772)

f6ea66c

Fixes #2754

Provide feedback