-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade metosin:scjsv to fix CVE-2018-10237 #139
Comments
My thought is: it won't help, because scjsv 0.6.0 still transitively depends on Guava 16.0.1. However, if we created a new release of scjsv that depended on json-schema-validator 2.2.13, that would bring in an up-to-date version of Guava and fix the problem. While you wait for this to happen, if you want to mitigate CVE-2018-10237 or any other issue, I recommend directly depending on up-to-date versions of libraries. Upgrading deps and making a new release is still a manual process for us, so it may take a while. 😐 |
Hi, and first of all, thanks for working on
ring-swagger
!I noticed that the
ring-swagger:0.26.2
's dependencymetosin:scjsv:0.5.0
depends oncom.github.java-json-tools:json-schema-validator:jar:2.2.10
, which in turn transitively depends oncom.google.guava:guava:jar:16.0.1
. Said Guava version is affected by the vulnerability CVE-2018-10237.One way to fix the security issue in
ring-swagger:0.26.2
may be to upgrademetosin:scjsv
. Any thoughts on this?The text was updated successfully, but these errors were encountered: