Adjusted dependency versions to address CVEs

Adjusted com.github.seancfoley:ipaddress version to address CVE. Adjusted org.apache.commons:commons-compress to address CVE. Added commons-io:commons-io due to above update. Signed-off-by: Vijayan Balasubramanian <[email protected]>
opensearch-project · Mar 12, 2024 · dc93821 · dc93821
1 parent a7ed59a
commit dc93821
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ See the [CONTRIBUTING guide](./CONTRIBUTING.md#Changelog) for instructions on ho
 ### Features
 ### Enhancements
 ### Bug Fixes
+* Adjusted dependency versions to address CVEs ([#635](https://github.com/opensearch-project/geospatial/pull/635))
 ### Infrastructure
 ### Documentation
 ### Maintenance

diff --git a/build.gradle b/build.gradle
@@ -171,7 +171,7 @@ dependencies {
     implementation "org.apache.commons:commons-csv:1.10.0"
     zipArchive group: 'org.opensearch.plugin', name:'opensearch-job-scheduler', version: "${opensearch_build}"
     compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}"
-    implementation "com.github.seancfoley:ipaddress:5.4.0"
+    implementation "com.github.seancfoley:ipaddress:5.4.2"
 }
 
 licenseHeaders.enabled = true

diff --git a/libs/h3/build.gradle b/libs/h3/build.gradle
@@ -38,7 +38,8 @@ dependencies {
     api "org.apache.logging.log4j:log4j-api:${versions.log4j}"
     api "org.apache.logging.log4j:log4j-core:${versions.log4j}"
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
-    testImplementation "org.apache.commons:commons-compress:1.21"
+    testImplementation 'commons-io:commons-io:2.15.1'
+    testImplementation "org.apache.commons:commons-compress:1.26.0"
     testImplementation "org.apache.lucene:lucene-spatial3d:${versions.lucene}"
 }
 licenseFile = "LICENSE.txt"