fix: Remove vulnerable transitive dependencies (plexus-utils, kotlin-stdlib)

mroman-recurly · mroman-recurly · commit a6c7776b3a65 · 2026-04-14T07:30:03.000-06:00
- Replace gson-jodatime-serialisers with inline DateTime serializer using ISODateTimeFormat.dateTime()
- Remove gson-jodatime-serialisers 1.8.0 from pom.xml, eliminating transitive kotlin-stdlib 1.3.21
- Move plexus-utils from &lt;dependencies&gt; to &lt;dependencyManagement&gt; at version 4.0.3
- Add format-parity test to verify identical ISO 8601 serialization output
diff --git a/pom.xml b/pom.xml
@@ -249,11 +249,7 @@
             <artifactId>joda-time</artifactId>
             <version>2.10.6</version>
         </dependency>
-        <dependency>
-            <groupId>com.fatboyindustrial.gson-jodatime-serialisers</groupId>
-            <artifactId>gson-jodatime-serialisers</artifactId>
-            <version>1.8.0</version>
-        </dependency>
+
         <dependency>
             <groupId>org.apache.maven.surefire</groupId>
             <artifactId>surefire</artifactId>
@@ -293,14 +289,17 @@
             <scope>test</scope>
         </dependency>
 
-        <!-- Specify versions of transitive dependencies
-            plexus:plexus-utils introduced through jacoco-maven-plugin, maven-compiler-plugin, and others
-              - can be removed when mvn dependency:list shows version 3.0.24 or higher and no snyk reported vulnerabilities
-        -->
-        <dependency>
-          <groupId>org.codehaus.plexus</groupId>
-          <artifactId>plexus-utils</artifactId>
-          <version>3.5.1</version>
-        </dependency>
     </dependencies>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- Pin plexus-utils for Maven plugin resolution only (not shipped to consumers).
+                 Transitive dep of jacoco-maven-plugin, maven-compiler-plugin, and others. -->
+            <dependency>
+                <groupId>org.codehaus.plexus</groupId>
+                <artifactId>plexus-utils</artifactId>
+                <version>4.0.3</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>
diff --git a/src/main/java/com/recurly/v3/JsonSerializer.java b/src/main/java/com/recurly/v3/JsonSerializer.java
@@ -1,6 +1,5 @@
 package com.recurly.v3;
 
-import com.fatboyindustrial.gsonjodatime.Converters;
 import com.google.gson.*;
 import com.google.gson.annotations.SerializedName;
 import com.google.gson.reflect.TypeToken;
@@ -15,6 +14,7 @@
 import java.util.Map;
 
 import org.joda.time.DateTime;
+import org.joda.time.format.ISODateTimeFormat;
 
 public class JsonSerializer {
   private class DateDeserializer implements JsonDeserializer<DateTime> {
@@ -25,7 +25,14 @@ public DateTime deserialize(JsonElement element, Type arg1, JsonDeserializationC
     }
   }
 
-  private final Gson gsonSerializer = Converters.registerDateTime(new GsonBuilder()).create();
+  private final Gson gsonSerializer =
+      new GsonBuilder()
+          .registerTypeAdapter(
+              DateTime.class,
+              (com.google.gson.JsonSerializer<DateTime>)
+                  (src, typeOfSrc, context) ->
+                      new JsonPrimitive(ISODateTimeFormat.dateTime().print(src)))
+          .create();
   private final Gson gsonDeserializer =
       new GsonBuilder()
           .excludeFieldsWithoutExposeAnnotation()
diff --git a/src/test/java/com/recurly/v3/JsonSerializerTest.java b/src/test/java/com/recurly/v3/JsonSerializerTest.java
@@ -1,13 +1,16 @@
 package com.recurly.v3;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import com.recurly.v3.fixtures.DateTimeTestClass;
 import com.recurly.v3.fixtures.FixtureConstants;
 import com.recurly.v3.fixtures.MyRequest;
 import com.recurly.v3.fixtures.MyResource;
 import com.recurly.v3.Constants;
 import org.joda.time.DateTime;
+import org.joda.time.DateTimeZone;
+import org.joda.time.format.ISODateTimeFormat;
 import org.junit.jupiter.api.Test;
 
 public class JsonSerializerTest {
@@ -125,6 +128,36 @@ private static String getDateTimesJson() {
         + "}";
   }
 
+  @Test
+  public void testDateTimeSerializationFormatParity() {
+    final JsonSerializer jsonSerializer = new JsonSerializer();
+
+    // Verify the inline serializer produces the same ISO 8601 output
+    // as ISODateTimeFormat.dateTime() (which the removed library used)
+    final DateTime dt = new DateTime(2019, 5, 31, 15, 31, 24, 99, DateTimeZone.UTC);
+    final String expected = ISODateTimeFormat.dateTime().print(dt);
+
+    final MyRequest request = new MyRequest();
+    request.setMyDateTime(dt);
+    final String serialized = jsonSerializer.serialize(request);
+
+    assertTrue(serialized.contains("\"" + expected + "\""),
+        "Serialized JSON should contain ISO 8601 DateTime: " + expected
+            + " but got: " + serialized);
+
+    // Round-trip: serialize then deserialize and verify field values
+    final String json = "{\"my_datetime\":\"" + expected + "\"}";
+    final DateTimeTestClass deserialized =
+        jsonSerializer.deserialize("{\"date1\":\"" + expected + "\"}", DateTimeTestClass.class);
+    assertEquals(2019, deserialized.getDate1().getYear());
+    assertEquals(5, deserialized.getDate1().getMonthOfYear());
+    assertEquals(31, deserialized.getDate1().getDayOfMonth());
+    assertEquals(15, deserialized.getDate1().getHourOfDay());
+    assertEquals(31, deserialized.getDate1().getMinuteOfHour());
+    assertEquals(24, deserialized.getDate1().getSecondOfMinute());
+    assertEquals(99, deserialized.getDate1().getMillisOfSecond());
+  }
+
   private static void checkDateTime(DateTime date) {
     assertEquals(DateTime.class, date.getClass());
     assertEquals(2019, date.getYear());
