From 786cf870b5ca6047e7862e44840dbde36ffb7d46 Mon Sep 17 00:00:00 2001 From: Tim te Beek Date: Sat, 14 Mar 2026 16:56:49 +0100 Subject: [PATCH] Upgrade kotlin-reflect from 1.6.10 to 2.2.0 kotlin-compiler-embeddable declares a transitive dependency on kotlin-reflect 1.6.10, which is flagged for CVE-2020-29582 (insecure temp file permissions). Adding an explicit kotlin-reflect dependency at the same version as the rest of the Kotlin dependencies (2.2.0) causes Gradle's conflict resolution to select the newer version. This resolves the vulnerability across all 47 downstream recipe repos that transitively depend on rewrite-kotlin. See moderneinc/dependency-vulnerability-reports#1010 --- rewrite-kotlin/build.gradle.kts | 1 + 1 file changed, 1 insertion(+) diff --git a/rewrite-kotlin/build.gradle.kts b/rewrite-kotlin/build.gradle.kts index 3909f6e878e..ea25b2f58ff 100644 --- a/rewrite-kotlin/build.gradle.kts +++ b/rewrite-kotlin/build.gradle.kts @@ -14,6 +14,7 @@ dependencies { implementation(project(":rewrite-java")) implementation(kotlin("compiler-embeddable", kotlinVersion)) + implementation(kotlin("reflect", kotlinVersion)) implementation(kotlin("stdlib", kotlinVersion)) testImplementation("org.junit-pioneer:junit-pioneer:latest.release")