Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage commons-io dependency #356

Closed
jvalkeal opened this issue Mar 9, 2022 · 1 comment
Closed

Manage commons-io dependency #356

jvalkeal opened this issue Mar 9, 2022 · 1 comment
Assignees
@corneil
Labels
type/backport Is a issue to track backport, use with branch/xxx
Milestone
2.8.0-M2

Comments

@jvalkeal
Copy link
Contributor

jvalkeal commented Mar 9, 2022

There's a wagon-http in spring-cloud-deployer-resource-maven which pulls commons-io 2.6 which have a cve in it.

We have overridden this in https://github.com/spring-cloud/spring-cloud-dataflow-build/blob/f0d74f04f69aff8c16032c3aaf0885b230d82430/spring-cloud-dataflow-build-dependencies/pom.xml#L26 so that within dataflow build we get commons-io 2.7. However if you directly just depend on spring-cloud-deployer-resource-maven looks like you get commons-io 2.6.

There is a complex dependency chain which goes from spring-cloud-deployer-resource-maven to parent build modules via parents and dependency management. Looks like this doesn't work in this case. Might be misunderstanding or just usual maven hell.

Should try to figure out where to force commons-io version. It's either on this repo or in spring-cloud-dataflow-build.

Essentially looking if user does something in maven/gradle:

<dependency>
  <artifactId>spring-cloud-deployer-resource-maven</artifactId>
  <groupId>org.springframework.cloud</groupId>
  <version>2.7.2</version>
</dependency>

or

implementation 'org.springframework.cloud:spring-cloud-deployer-resource-maven:2.7.2'
@jvalkeal jvalkeal added this to the 2.8.0-M2 milestone Mar 9, 2022
@jvalkeal
Copy link
Contributor Author

Done in #357

@github-actions github-actions bot mentioned this issue Mar 10, 2022
Closed
@cppwfs cppwfs added type/backport Is a issue to track backport, use with branch/xxx and removed for/backport labels Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@corneil corneil

Labels
type/backport Is a issue to track backport, use with branch/xxx
Projects
None yet
Milestone
2.8.0-M2
Development

No branches or pull requests
3 participants
@jvalkeal @corneil @cppwfs