Upgrade to 3.4.0 to fix CVE-2023-3635 also requires a Kotlin upgrade

[tyvumo]

Scenario:
We are maintaining common libraries for our own and customer projects.
The dependencies are based on spring boot 2.7.14 as documented in https://docs.spring.io/spring-boot/docs/2.7.14/reference/html/dependency-versions.html .
We want to fix CVE-2023-3635 by upgrading Okio (and maybe Okhttp).

Expectations / Request:
We can fix CVE-2023-3635 without upgrading Kotlin in all dependent projects.
(Possibly unjustified Kotlin assumption: As long as we don't directly import Okio classes, linking should work as long as JVM versions are compatible.)

Observations:
Using Java, all seems fine.
In Kotlin code we get this error message:
[ERROR] /home/[...]/.m2/repository/com/squareup/okio/okio-jvm/3.4.0/okio-jvm-3.4.0.jar!/META-INF/okio.kotlin_module: (-1, -1) Module was compiled with an incompatible version of Kotlin. The binary version of its metadata is 1.8.0, expected version is 1.6.0.

Would id be possible to back-port the fix in 81bce1a to an Okio version before the Kotlin upgrade in 3.3.0?

[swankjesse]

Can do.

[marcelstoer]

Looking forward to this as we're affected as well. As per https://square.github.io/okio/changelog/#version-320 3.2.0 is the latest not requiring Kotlin 1.8. Can we expect a 3.2.1 which addresses CVE-2023-3635 then? That would be fantastic!

[zangye]

hello. when can you back-port the fix in 81bce1a to an Okio version before the Kotlin upgrade in 3.3.0?

[swankjesse]

I’ve shipped Okio 1.17.6 that includes a fix for this and has no Kotlin dependency.

I don’t think it’s a good investment in our time to backport this fix for earlier Kotlin versions. Both Okio and the Kotlin stdlib have strong backwards compatibility, and you will be safe running on Okio 3.6.0 + Kotlin Stdlib 1.9.10 even if your build toolchain uses an earlier Kotlin release.