Merge 4b1c86d into 31deafb

.github/dogfooding_suppressions.xml

@@ -49,4 +49,21 @@
     <packageUrl regex="true">^pkg:maven/org\.codehaus\.plexus/plexus-.*$</packageUrl>
     <cpe>cpe:/a:codehaus-plexus_project:codehaus-plexus</cpe>
   </suppress>
+  <suppress>
+    <filePath regex="true">.*\bclojure-complete-0\.2\.5\.jar</filePath>
+    <cve>CVE-2017-20189</cve>
+  </suppress>
+  <suppress>
+    <filePath regex="true">.*\bcore\.specs\.alpha-0\.2\.62\.jar</filePath>
+    <cve>CVE-2017-20189</cve>
+  </suppress>
+  <suppress>
+    <filePath regex="true">.*\bspec\.alpha-0\.3\.218\.jar</filePath>
+    <cve>CVE-2017-20189</cve>
+  </suppress>
+  <suppress>
+    <filePath regex="true">.*\bcommons-compress-1\.25\.0\.jar</filePath>
+    <cve>CVE-2024-25710</cve>
+    <cve>CVE-2024-26308</cve>
+  </suppress>
 </suppressions>

.github/lint.sh

@@ -7,4 +7,5 @@ classpath="$(lein with-profile -user,+test classpath)"
 # populate a clj-kondo cache per https://github.com/clj-kondo/clj-kondo/tree/4f1252748b128da6ea23033f14b2bec8662dc5fd#project-setup :
 lein with-profile -user,+test,+clj-kondo run -m clj-kondo.main --lint "$classpath" --dependencies --parallel --copy-configs
 lein with-profile -user,+test,+clj-kondo run -m clj-kondo.main --lint src test
+lein version
 lein eastwood

.github/workflows/ci.yaml

@@ -25,11 +25,11 @@ jobs:
         uses: actions/checkout@master
         with:
           ref: ${{ github.ref }}
-      - run: .github/lint.sh
       - name: Install leiningen
-        uses: DeLaGuardo/setup-clojure@master
+        uses: DeLaGuardo/setup-clojure@12.5
         with:
-          lein: 2.9.4
+          lein: 2.9.1
+      - run: .github/lint.sh
       - run: lein cljfmt check
       - run: lein with-profile +dev cloverage --lcov
       - name: Coveralls
@@ -56,9 +56,9 @@ jobs:
         with:
           ref: ${{ github.ref }}
       - name: Install leiningen
-        uses: DeLaGuardo/setup-clojure@master
+        uses: DeLaGuardo/setup-clojure@12.5
         with:
-          cli: '1.10.3.1029'
-          lein: '2.9.4'
+          cli: 1.10.3.1029
+          lein: 2.9.1
       - run: shellcheck .github/*.sh
       - run: .github/integration_test.sh

.github/workflows/dependencies.yaml

@@ -15,10 +15,10 @@ jobs:
         with:
           java-version: '11'
       - name: Install Clojure CLI
-        uses: DeLaGuardo/setup-clojure@master
+        uses: DeLaGuardo/setup-clojure@12.5
         with:
-          cli: '1.10.3.933'
-          lein: 2.9.5
+          cli: 1.10.3.933
+          lein: 2.9.1
       - name: check for outdated dependencies
         id: deps
         run: |

CHANGELOG.md

@@ -1,4 +1,4 @@
-## Changes from 4.0.0 to 4.0.0
+## Changes from 3.6.0 to 4.0.0
 
 * Update `dependency-check-core` to the 9.x series ([9.0.8](https://github.com/jeremylong/DependencyCheck/blob/v9.0.8/CHANGELOG.md))
   * This **requires** nvd-clojure users to request a NVD API key and configure it correctly.

deps.edn

@@ -1,10 +1,10 @@
 {:paths ["src"]
  :deps {org.clojure/clojure {:mvn/version "1.11.1"}
-        org.clojure/java.classpath {:mvn/version "1.0.0"}
+        org.clojure/java.classpath {:mvn/version "1.1.0"}
         clansi/clansi {:mvn/version "1.0.0"}
         org.clojure/data.json {:mvn/version "2.5.0"}
-        org.slf4j/slf4j-simple {:mvn/version "2.0.10"}
-        org.owasp/dependency-check-core {:mvn/version "9.0.8"}
+        org.slf4j/slf4j-simple {:mvn/version "2.0.12"}
+        org.owasp/dependency-check-core {:mvn/version "9.0.9"}
         rm-hull/table {:mvn/version "0.7.1"}
         trptcolin/versioneer {:mvn/version "0.2.0"}}
  :mvn/repos {"central" {:url "https://repo1.maven.org/maven2/"}

project.clj

@@ -6,8 +6,8 @@
   :dependencies [[org.clojure/clojure "1.11.1"]
                  [clansi "1.0.0"]
                  [org.clojure/data.json "2.5.0"]
-                 [org.slf4j/slf4j-simple "2.0.10"]
-                 [org.owasp/dependency-check-core "9.0.8"]
+                 [org.slf4j/slf4j-simple "2.0.12"]
+                 [org.owasp/dependency-check-core "9.0.9"]
                  [rm-hull/table "0.7.1"]
                  [trptcolin/versioneer "0.2.0"]
                  ;; Explicitly depend on a certain Jackson, consistently.
@@ -19,7 +19,7 @@
                  [org.apache.maven.resolver/maven-resolver-transport-http "1.9.18" #_"Fixes a CVE"]
                  [org.yaml/snakeyaml "2.2" #_"Fixes a CVE"]
                  [org.apache.maven/maven-core "3.9.6" #_"Fixes a CVE"]
-                 [org.eclipse.jetty/jetty-client "12.0.5" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
+                 [org.eclipse.jetty/jetty-client "12.0.6" #_"Fixes a CVE" :exclusions [org.slf4j/slf4j-api]]
                  [org.apache.maven.resolver/maven-resolver-spi "1.9.18" #_"Satisfies :pedantic?"]
                  [org.apache.maven.resolver/maven-resolver-api "1.9.18" #_"Satisfies :pedantic?"]
                  [org.apache.maven.resolver/maven-resolver-util "1.9.18" #_"Satisfies :pedantic?"]
@@ -43,10 +43,10 @@
                              [jonase/eastwood "1.4.0"]]
                    :eastwood {:add-linters [:boxed-math
                                             :performance]}
-                   :dependencies [[clj-kondo "2023.12.15"]
+                   :dependencies [[clj-kondo "2024.02.12"]
                                   [commons-collections "20040616"]]}
              :ci {:pedantic? :abort}
-             :clj-kondo {:dependencies [[clj-kondo "2023.12.15"]]}
+             :clj-kondo {:dependencies [[clj-kondo "2024.02.12"]]}
              :skip-self-check {:jvm-opts ["-Dnvd-clojure.internal.skip-self-check=true"]}}
   :deploy-repositories [["clojars" {:url "https://clojars.org/repo"
                                     :username :env/clojars_username