Mockwebserver has transitive vulnerability dependency on okio:3.2.0 and results in CVE-2023-3635

[sshankarbayari]

Hi,

We are using the dependency on com.squareup.okhttp3:mockwebserver and this has a transitive dependency on com.squareup.okio:okio:3.2.0.
+--- com.squareup.okhttp3:mockwebserver:5.0.0-alpha.11
| +--- com.squareup.okhttp3:okhttp:5.0.0-alpha.11
| | --- com.squareup.okhttp3:okhttp-jvm:5.0.0-alpha.11
| | +--- com.squareup.okio:okio:3.2.0
| | | --- com.squareup.okio:okio-jvm:3.2.0

okio-3.2.0 has a vulnerability that has been identified in one of our Fossa scans. The vul CVE-2023-3635 has been resolved in version 3.4.0 and above. The dependency version has to be updated to >3.4.0
CVE-2023-3635

[JakeWharton]

The dependency version has to be updated to >3.4.0

It already happened in #7932 and subsequently #7973

[sshankarbayari]

@JakeWharton Thank you! We use com.squareup.okhttp3:mockwebserver:5.0.0-alpha.11 which seems to be the latest version and this still has a transitive dependency to 3.2.0. Could you suggest which version of the mockwebserver we should use to get an updated version of okio?

[JakeWharton]

There is no release version which contains the dependency updates yet. The next one will have them updated.

[sshankarbayari]

Thanks, is there an ETA for the next version of mockwebserver that will have the dependency updates of okio?

[JakeWharton]

I no longer work on this library in such a capacity to know these things. I merely help triage issues as they come in as part of our larger open source efforts. Someone else will have to chime in.

[sshankarbayari]

@swankjesse @yschimke do you have some insight on the ETA for the next version of mockwebserver that will have the dependency updates of okio?