Bump commons-compress#8354
Bump commons-compress#8354marcelstoer wants to merge 1 commit intotestcontainers:mainfrom marcelstoer:patch-1
Conversation
This addresses CVE-2024-25710 and CVE-2024-26308. Fixes #8338
|
@eddumelendez is there any chance this will lead to an immediate release of 1.19.6 once merged? |
|
Hi, thanks for the PR. There is no plan to update the dependency because of a breaking change in the API. See #8169 (comment) However, you can do it by yourself on your build file. |
|
Yes, I understand that. However, at #8169 (comment) you said
I thought that commons-compress having critical vulnerabilities be one of those "other" reasons. |
|
I've tested myself that upgrading independently works perfectly fine. As a library we want to avoid users to do things like described in that thread. |
…26.0 Further upgrades for Quesnelia: Upgrade log4j from 2.22.1 to 2.23.0. Upgrade testcontainers from 1.19.5 to 1.19.6. Upgrade commons-compress from 1.24.0 to 1.26.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2024-25710 https://nvd.nist.gov/vuln/detail/CVE-2024-26308 see testcontainers/testcontainers-java#8354
…26.0 Further upgrades for Quesnelia: Upgrade log4j from 2.22.1 to 2.23.0. Upgrade testcontainers from 1.19.5 to 1.19.6. Upgrade commons-compress from 1.24.0 to 1.26.0 fixing https://nvd.nist.gov/vuln/detail/CVE-2024-25710 https://nvd.nist.gov/vuln/detail/CVE-2024-26308 see testcontainers/testcontainers-java#8354
|
👋🏾 @eddumelendez How'd you manage this?
When I try to upgrade |
|
@eddumelendez, do you have any mid-term plans for this? Like, making this dependency internal and changing |
4 participants
This addresses CVE-2024-25710 and CVE-2024-26308. I know your PR template says to not open PRs to bump dependencies. However, since this is security related it has IMO a higher urgency.
Fixes #8338