From 12016fca918313582316d74995b6a81cb564c6f4 Mon Sep 17 00:00:00 2001 From: Jonathan Flynn Date: Mon, 24 Jun 2024 15:07:21 +0100 Subject: [PATCH 1/3] bump common-compress transitively to fix high vulnerability --- build.sbt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/build.sbt b/build.sbt index cf54ce3..5470ee0 100644 --- a/build.sbt +++ b/build.sbt @@ -16,12 +16,13 @@ lazy val core = project.settings( name := "marley", Compile / scalacOptions ++= Seq("-release:11", "-Ymacro-annotations"), libraryDependencies ++= Seq( - "org.apache.avro" % "avro" % "1.11.3", + "org.apache.avro" % "avro" % "1.11.3" exclude("org.apache.commons", "commons-compress"), "org.xerial.snappy" % "snappy-java" % "1.1.10.5", "org.parboiled" %% "parboiled" % "2.5.0", "org.scala-lang" % "scala-compiler" % scalaVersion.value % "provided", "org.scalatest" %% "scalatest" % "3.2.16" % Test, - "org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test + "org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test, + "org.apache.commons" % "commons-compress" % "1.26.2" ), Test/testOptions += Tests.Argument( TestFrameworks.ScalaTest, @@ -51,4 +52,4 @@ releaseProcess := Seq[ReleaseStep]( tagRelease, setNextVersion, commitNextVersion -) +) \ No newline at end of file From aac02bc1edc13c7c81f7bbd7c5b718e2c02ad4a9 Mon Sep 17 00:00:00 2001 From: Jonathan Flynn Date: Mon, 24 Jun 2024 15:26:16 +0100 Subject: [PATCH 2/3] adjust commons-compress version --- build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sbt b/build.sbt index 5470ee0..4290672 100644 --- a/build.sbt +++ b/build.sbt @@ -22,7 +22,7 @@ lazy val core = project.settings( "org.scala-lang" % "scala-compiler" % scalaVersion.value % "provided", "org.scalatest" %% "scalatest" % "3.2.16" % Test, "org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test, - "org.apache.commons" % "commons-compress" % "1.26.2" + "org.apache.commons" % "commons-compress" % "1.26.0" ), Test/testOptions += Tests.Argument( TestFrameworks.ScalaTest, From 72e308d869f27dac01d9a73e4bae8d567fbd6250 Mon Sep 17 00:00:00 2001 From: Jonathan Flynn Date: Wed, 26 Jun 2024 09:57:00 +0100 Subject: [PATCH 3/3] remove exclude keyword and bump commons-compress --- build.sbt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.sbt b/build.sbt index 4290672..5f0ec12 100644 --- a/build.sbt +++ b/build.sbt @@ -16,13 +16,13 @@ lazy val core = project.settings( name := "marley", Compile / scalacOptions ++= Seq("-release:11", "-Ymacro-annotations"), libraryDependencies ++= Seq( - "org.apache.avro" % "avro" % "1.11.3" exclude("org.apache.commons", "commons-compress"), + "org.apache.avro" % "avro" % "1.11.3", "org.xerial.snappy" % "snappy-java" % "1.1.10.5", "org.parboiled" %% "parboiled" % "2.5.0", "org.scala-lang" % "scala-compiler" % scalaVersion.value % "provided", "org.scalatest" %% "scalatest" % "3.2.16" % Test, "org.scalatestplus" %% "scalacheck-1-17" % "3.2.16.0" % Test, - "org.apache.commons" % "commons-compress" % "1.26.0" + "org.apache.commons" % "commons-compress" % "1.26.2" ), Test/testOptions += Tests.Argument( TestFrameworks.ScalaTest,