Revert update of Maven resolver libs - seeing resolution differences

CHANGELOG.md

@@ -3,6 +3,8 @@ Changelog
 
 *Also see [Tools and installer changelog](https://github.com/clojure/brew-install/blob/1.11.1/CHANGELOG.md)*
 
+* next
+  * Revert update of Maven resolver libs - seeing resolution differences
 * 0.18.1370 on Dec 4, 2023
   * TDEPS-256 create-basis - when different project dir is specified, should be used to resolve relative local deps
   * Update deps to latest

deps.edn

@@ -1,15 +1,17 @@
 {:paths ["src/main/clojure" "src/main/resources"]
  :deps {
    org.clojure/clojure {:mvn/version "1.10.3"}
-   org.apache.maven.resolver/maven-resolver-api {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-spi {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-impl {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-util {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-connector-basic {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-transport-file {:mvn/version "1.9.18"}
-   org.apache.maven.resolver/maven-resolver-transport-http {:mvn/version "1.9.18"}
-   org.apache.maven/maven-resolver-provider {:mvn/version "3.9.6"}
-   org.apache.maven/maven-core {:mvn/version "3.9.6"}
+   org.apache.maven.resolver/maven-resolver-api {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-spi {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-impl {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-util {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-connector-basic {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-transport-file {:mvn/version "1.8.2"}
+   org.apache.maven.resolver/maven-resolver-transport-http {:mvn/version "1.8.2"}
+   org.apache.maven/maven-resolver-provider {:mvn/version "3.8.6"}
+   org.apache.maven/maven-core {:mvn/version "3.8.6" :exclusions [commons-io/commons-io com.google.guava/guava]}
+     commons-io/commons-io {:mvn/version "2.15.1"} ;; update transitive dep due to CVE-2021-29425
+     com.google.guava/guava {:mvn/version "31.1-jre"} ;; update transitive dep due to CVE-2020-8908
    org.clojure/data.xml {:mvn/version "0.2.0-alpha8"}
    org.clojure/tools.gitlibs {:mvn/version "2.5.197"}
    org.clojure/tools.cli {:mvn/version "1.0.219"}

pom.xml

@@ -21,8 +21,8 @@
     <!-- used for build -->
     <clojure.warnOnReflection>true</clojure.warnOnReflection>
     <clojure.version>1.10.3</clojure.version>
-    <resolverVersion>1.9.18</resolverVersion>
-    <mavenVersion>3.9.6</mavenVersion>
+    <resolverVersion>1.8.2</resolverVersion>
+    <mavenVersion>3.8.6</mavenVersion>
 
     <!-- default published in install deps.edn -->
     <clojure.default>1.10.3</clojure.default>
@@ -78,6 +78,26 @@
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-core</artifactId>
       <version>${mavenVersion}</version>
+           <exclusions>
+        <exclusion> <!-- CVE-2021-29425 -->
+          <groupId>commons-io</groupId>
+          <artifactId>commons-io</artifactId>
+        </exclusion>
+        <exclusion> <!-- CVE-2020-8908 -->
+          <groupId>com.google.guava</groupId>
+          <artifactId>guava</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency> <!-- overridden transitive dep -->
+      <groupId>commons-io</groupId>
+      <artifactId>commons-io</artifactId>
+      <version>2.15.1</version>
+    </dependency>
+    <dependency> <!-- overridden transitive dep -->
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>31.1-android</version>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>