You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
0.6.12 appears to be the last version in the 0.6 branch dating back to 2015. Perhaps this is also an opportunity to upgrade to a more recent release? v0.9 even claims "MessagePack v7 (or later) is a faster implementation of the previous version v06".
As a workaround, maven consumers can excludeorg.javassist/javassist from transit-java and add a new dep on org.javassist/javassist 3.19.0-GA.
Thanks
The text was updated successfully, but these errors were encountered:
Hi,
JFrog Xray security analyser complains that the jboss-javassist/javassist 3.18.1-GA version which comes with msgpack/msgpack-java 0.6.12, has a known vulnerability (laconically captured in https://issues.redhat.com/browse/JASSIST-227) and should be upgraded to at least 3.19.0-GA (which has the fix).
I could not find any other reference to this vulnerability on the internet, and I am not aware where Xray source its security database from.
deps:
0.6.12 appears to be the last version in the 0.6 branch dating back to 2015. Perhaps this is also an opportunity to upgrade to a more recent release? v0.9 even claims "MessagePack v7 (or later) is a faster implementation of the previous version v06".
As a workaround, maven consumers can exclude
org.javassist/javassistfromtransit-javaand add a new dep onorg.javassist/javassist 3.19.0-GA.Thanks
The text was updated successfully, but these errors were encountered: