Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

Logback vulnerabilities in 1.0.6 release #19

Closed
boroda4436 opened this issue Jul 28, 2022 · 3 comments
Closed

Logback vulnerabilities in 1.0.6 release #19

boroda4436 opened this issue Jul 28, 2022 · 3 comments
Milestone
1.0.7

Comments

@boroda4436
Copy link

Hi! Do you have plans to publish version 1.0.7 on maven? For now, the latest version has logback vulnerabilities
image
@vladmihalcea
Copy link
Owner

vladmihalcea commented Jul 28, 2022
edited

All the dependencies use <scope>provided</scope>, so they are not transitive.

Therefore, the library doesn't force you to use a dependency that has vulnerabilities as you have to declare all the dependencies explicitly in your project with higher version numbers.

I could do a release, but it will not change anything actually. The Logback version that your application is using is not the one from the db-util, but the one you declared explicitly in your pom.xml file.

@boroda4436
Copy link
Author

Great, thanks!

@vladmihalcea
Copy link
Owner

Fixed. I revised the dependencies and changed the scope of the logback one for test only. There is a single transitive dependency now.

@vladmihalcea vladmihalcea added this to the 1.0.7 milestone Jul 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0.7
Development

No branches or pull requests
2 participants
@vladmihalcea @boroda4436