Skip to content

Bump org.apache.commons:commons-compress to 1.27.1#9796

Closed
yeikel wants to merge 1 commit intotestcontainers:mainfrom
yeikel:patch-1
Closed

Bump org.apache.commons:commons-compress to 1.27.1#9796
yeikel wants to merge 1 commit intotestcontainers:mainfrom
yeikel:patch-1

Conversation

@yeikel
Copy link
Copy Markdown

@yeikel yeikel commented Jan 15, 2025

As per the pull request template

Please do not open a pull request to update only a version dependency. Existing process will perform
the upgrade every week. However, if the upgrade involves more changes (changes for deprecated API) then
your pull request is very welcome.

That however does not seem to be true for this component as it is quite outdated and is poisoning the project with various vulnerabilities such as

CVE-2024-26308
CVE-2024-25710

If this pull request is deemed as invalid even with the context above, I'd appreciate that the "process" is triggered and that this dependency is updated to fix the CVEs above

@yeikel yeikel requested a review from a team January 15, 2025 23:50
@yeikel yeikel mentioned this pull request Jan 15, 2025
Closed
@yeikel
Copy link
Copy Markdown
Author

yeikel commented Jan 15, 2025

I saw #8338 after opening the pull request. Moving this as a draft for now waiting for clarify

@yeikel yeikel marked this pull request as draft January 15, 2025 23:54
@eddumelendez
Copy link
Copy Markdown
Member

eddumelendez commented Apr 22, 2025

Hi, thanks for raising the issue. I have shared before in one of the issues why we are not upgrading. We need to keep compatibility with other projects. Do you have proves that the CVEs are not false-positives?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yeikel @eddumelendez