Latest release depends on vulnerable version of commons-compress #187
Comments
|
I can do a release. Looks like plexis-io now depends on Java 8, but some Maven plugins like the jar plugin still depend on Java 7 so the most sensible thing seems to be to release plexus-archiver without releasing plexus-io. Any objections? |
Sounds reasonable... |
|
Sounds a reasonable reason to upgrade the jar plugin to java 8 as most of other plugins. |
|
I've made a release without updating plexus-io so it is easier to upgrade vulnerable plugins. I'll release plexus-io and bump the Java version for Plexus Archiver to 8. |
Hi,
The latest release available (4.2.5) depends on commons-compress 1.20 which now has these published vulnerabilities:
CVE-2021-35517
CVE-2021-35516
CVE-2021-35515
CVE-2021-36090
The version of this dependency in the master branch (1.21) is not affected by these vulnerabilities.
Is there a release expected soon?
The text was updated successfully, but these errors were encountered: