deps-deploy indirectly depends on org.springframework.build/aws-maven@4.8.0.RELEASE, via s3-wagon-private/s3-wagon-private@1.3.5, but this is problematic for a couple of reasons:
- The
org.springframework.build/aws-maven project was deprecated in 2019
- It has a vulnerability via its dependencies - CVE-2017-5929, and the last released version (
5.0.0-RELEASE) has more
- This library includes a
logback.xml file in the deployed JAR (a nasty anti-pattern), which interferes with downstream consumers who wish to provide their own LogBack configuration
I don't know enough about s3-wagon-private/s3-wagon-private to be able to suggest alternatives, but perhaps it has a newer version that uses a less problematic dependency?
deps-deployindirectly depends onorg.springframework.build/aws-maven@4.8.0.RELEASE, vias3-wagon-private/s3-wagon-private@1.3.5, but this is problematic for a couple of reasons:org.springframework.build/aws-mavenproject was deprecated in 20195.0.0-RELEASE) has morelogback.xmlfile in the deployed JAR (a nasty anti-pattern), which interferes with downstream consumers who wish to provide their own LogBack configurationI don't know enough about
s3-wagon-private/s3-wagon-privateto be able to suggest alternatives, but perhaps it has a newer version that uses a less problematic dependency?