Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade xerces:xercesImpl #1143

Closed
feffi opened this issue Jun 19, 2018 · 5 comments
Closed

Upgrade xerces:xercesImpl #1143

feffi opened this issue Jun 19, 2018 · 5 comments
Labels
2.x
Milestone
2.6.0

Comments

@feffi
Copy link
Contributor

feffi commented Jun 19, 2018

✗ High severity vulnerability found on xerces:xercesImpl@2.8.1
@feffi
Copy link
Contributor Author

feffi commented Jun 19, 2018

for a parent list, have a look at: #1129

@feffi
Copy link
Contributor Author

feffi commented Jun 19, 2018

There is no fix version for xerces:xercesImpl yet

@jknack
Copy link
Member

jknack commented Jun 27, 2018

xerces is transitive dependency from jooby-pac4j

[INFO] +- org.pac4j:pac4j-openid:jar:2.2.1:test
[INFO] |  +- org.openid4java:openid4java:jar:1.0.0:test
[INFO] |  |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:test
[INFO] |  |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.4:test
[INFO] |  |  +- net.sourceforge.nekohtml:nekohtml:jar:1.9.10:test
[INFO] |  |  \- xerces:xercesImpl:jar:2.8.1:test

I didn't try it but think it is used in a closed context so we are safe.

@feffi
Copy link
Contributor Author

feffi commented Jun 28, 2018

For those kind of transitive vulnerabilities, I would recommend to write tests to verify this.

@jknack
Copy link
Member

jknack commented Jan 21, 2020

dependencies are automatically updated with dependabot now

@jknack jknack closed this as completed Jan 21, 2020
@jknack jknack added the 2.x label Jan 21, 2020
@jknack jknack added this to the 2.6.0 milestone Jan 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x
Projects
None yet
Milestone
2.6.0
Development

No branches or pull requests
2 participants
@feffi @jknack