👌 IMPROVE: Bump Lucee loader dependency to 6.0.0.585 to avoid known CVEs

Ortus-Solutions · Feb 21, 2024 · b6225e0 · b6225e0
1 parent f2c8e69
commit b6225e0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+
+### 🔐 Security
+
+Bump Lucee build dependency to `6.0.0.585` to avoid [vulnerable dependencies in []`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254296), [`com.github.mwiede:jsch`](https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBMWIEDE-6130900), and [`org.apache.commons:commons-compress`](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-6254297). NOTE: None of these vulnerabilities are realized in the Ortus ORM Extension, since we do not ship any Lucee code.
+
 ## [6.5.1] - 2024-02-20
 
 ### 🐛 Fixed

diff --git a/pom.xml b/pom.xml
@@ -307,7 +307,7 @@ lucee-core-version: ${minLuceeVersion}
 		<dependency>
 			<groupId>org.lucee</groupId>
 			<artifactId>lucee</artifactId>
-			<version>5.4.4.38</version>
+			<version>6.0.0.585</version>
 			<!-- https://www.baeldung.com/maven-dependency-scopes#2-provided -->
 			<scope>provided</scope>
 		</dependency>