You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@maven.apache.org by mi...@apache.org on 2022/12/20 10:14:57 UTC

[maven] branch maven-3.8.x updated: [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version

This is an automated email from the ASF dual-hosted git repository.

michaelo pushed a commit to branch maven-3.8.x
in repository https://gitbox.apache.org/repos/asf/maven.git


The following commit(s) were added to refs/heads/maven-3.8.x by this push:
     new ba058ee39 [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
ba058ee39 is described below

commit ba058ee3972b4909baccb92fd0ebc2cf923ded85
Author: Michael Osipov <mi...@apache.org>
AuthorDate: Mon Jul 18 15:09:01 2022 +0200

    [MNG-7513] Address commons-io_commons-io vulnerability found in maven latest version
    
    We can safely remove Commons IO altogether because it is not used in any direct or
    transitive usecase at compile time or runtime.
    
    This closes #771
---
 pom.xml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pom.xml b/pom.xml
index 4817232a2..0503501b6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -295,6 +295,13 @@ under the License.
         <groupId>org.apache.maven.shared</groupId>
         <artifactId>maven-shared-utils</artifactId>
         <version>3.3.4</version>
+        <exclusions>
+          <!-- We use org.apache.maven.shared.utils.logging only in Maven Core -->
+          <exclusion>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>org.fusesource.jansi</groupId>