Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade the json dependency to version 20220924 #197

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

anilbharadia
Copy link

@anilbharadia anilbharadia commented Oct 16, 2022

Update the json dependency version from 20170516 to 20220924, because the older version has a vulnerability.

Reference: https://ossindex.sonatype.org/component/pkg:maven/org.json/json@20170516?utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0

Fix till this PR is merged:

implementation("com.vdurmont:emoji-java:5.1.1")
constraints {
    implementation("org.json:json:20220924") {
        because("version 20170516 is affected by some vulnerability")
    }
}

@goodale
Copy link

goodale commented Dec 22, 2022

is there a reason this hasn't been merged?

@xenomachina
Copy link

It appears that org.json:json:20220924 does not fix the problem. I added the constraint in our build as suggested above, and dependency-check still detects the CVE.

Looking at the issues for org.json:json, they have an issue about the vulnerability and a PR, but the PR was only merged last week, and is not yet released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants