Skip to content

Commit

Permalink
update to latest maven deps and use latest jetty deps to pass CVEs
Browse files Browse the repository at this point in the history
  • Loading branch information
@puredanger
puredanger committed Dec 4, 2023
1 parent e6ad61d commit 602fd23
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 34 deletions.
25 changes: 13 additions & 12 deletions deps.edn
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,22 @@
{:paths ["src/main/clojure" "src/main/resources"]
:deps {
org.clojure/clojure {:mvn/version "1.10.3"}
org.apache.maven.resolver/maven-resolver-api {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-spi {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-impl {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-util {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-connector-basic {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-transport-file {:mvn/version "1.8.2"}
org.apache.maven.resolver/maven-resolver-transport-http {:mvn/version "1.8.2"}
org.apache.maven/maven-resolver-provider {:mvn/version "3.8.6"}
org.apache.maven/maven-core {:mvn/version "3.8.6" exclusions [commons-io/commons-io com.google.guava/guava]}
commons-io/commons-io {:mvn/version "2.15.1"} ;; update transitive dep due to CVE-2021-29425
com.google.guava/guava {:mvn/version "31.1-android"} ;; update transitive dep due to CVE-2020-8908
org.apache.maven.resolver/maven-resolver-api {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-spi {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-impl {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-util {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-connector-basic {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-transport-file {:mvn/version "1.9.18"}
org.apache.maven.resolver/maven-resolver-transport-http {:mvn/version "1.9.18"}
org.apache.maven/maven-resolver-provider {:mvn/version "3.9.6"}
org.apache.maven/maven-core {:mvn/version "3.9.6"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha8"}
org.clojure/tools.gitlibs {:mvn/version "2.5.197"}
org.clojure/tools.cli {:mvn/version "1.0.219"}
com.cognitect.aws/api {:mvn/version "0.8.686"}
com.cognitect.aws/api {:mvn/version "0.8.686" :exclusions [org.eclipse.jetty/jetty-http org.eclipse.jetty/jetty-client org.eclipse.jetty/jetty-util]} ;; override for CVEs
org.eclipse.jetty/jetty-http {:mvn/version "9.4.53.v20231009"}
org.eclipse.jetty/jetty-client {:mvn/version "9.4.53.v20231009"}
org.eclipse.jetty/jetty-util {:mvn/version "9.4.53.v20231009"}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.504"}
com.cognitect.aws/s3 {:mvn/version "848.2.1413.0"}
javax.inject/javax.inject {:mvn/version "1"}
Expand Down
53 changes: 31 additions & 22 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@
<!-- used for build -->
<clojure.warnOnReflection>true</clojure.warnOnReflection>
<clojure.version>1.10.3</clojure.version>
<resolverVersion>1.8.2</resolverVersion>
<mavenVersion>3.8.6</mavenVersion>
<resolverVersion>1.9.18</resolverVersion>
<mavenVersion>3.9.6</mavenVersion>

<!-- default published in install deps.edn -->
<clojure.default>1.10.3</clojure.default>
Expand Down Expand Up @@ -78,26 +78,6 @@
<groupId>org.apache.maven</groupId>
<artifactId>maven-core</artifactId>
<version>${mavenVersion}</version>
<exclusions>
<exclusion> <!-- CVE-2021-29425 -->
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
<exclusion> <!-- CVE-2020-8908 -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency> <!-- overridden transitive dep -->
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>
<dependency> <!-- overridden transitive dep -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>31.1-android</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
Expand All @@ -124,6 +104,35 @@
<groupId>com.cognitect.aws</groupId>
<artifactId>api</artifactId>
<version>0.8.686</version>
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-http</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
</exclusion>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency> <!-- override for CVE fixes -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-http</artifactId>
<version>9.4.53.v20231009</version>
</dependency>
<dependency> <!-- override for CVE fixes -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
<version>9.4.53.v20231009</version>
</dependency>
<dependency> <!-- override for CVE fixes -->
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-client</artifactId>
<version>9.4.53.v20231009</version>
</dependency>
<dependency>
<groupId>com.cognitect.aws</groupId>
Expand Down

0 comments on commit 602fd23

Please sign in to comment.