Potential Dependency Vulnerability in org.eclipse.jgit

[Brijeshthummar02]

While working on pom.xml, I noticed that the test dependency:

<groupId>org.eclipse.jgit</groupId>
<artifactId>org.eclipse.jgit</artifactId>
<version>6.10.0.202406032230-r</version>

is flagged for an XXE (XML External Entity) vulnerability with a severity score of 6.8.

🔒 To be on the safe side, should we consider updating to the unaffected version.

Let me know your thoughts — happy to raise a PR for the update if approved.

Link : https://osv.dev/vulnerability/GHSA-vrpq-qp53-qv56

[Brijeshthummar02]

will it be counted under https://github.com/checkstyle/checkstyle/security/advisories ??

[rnveach]

#17096
It's not a production issue

[Brijeshthummar02]

got it but we can check with new version '7.2.1.202505142326-r'

[rnveach]

See the first link

[Brijeshthummar02]

See the first link

My bad i missed it.