-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade json-smart version to 2.5.2 in response to CVE-2024-57699 #24631
base: master
Are you sure you want to change the base?
Upgrade json-smart version to 2.5.2 in response to CVE-2024-57699 #24631
Conversation
efd971d
to
815a53e
Compare
815a53e
to
4c63e80
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that this PR is necessary. I could not find a usage of json-smart
with version other than 2.5.0 in the dependency tree when running ./mvnw dependency:tree
. This PR doesn't effectively do anything other than pinning the version to 2.5.0 - which all of our modules already use. We should avoid pinning a transitive dependency unless it is pulling up a version for a specific module.
@ZacBlanco – The json-smart:2.5.0 is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, and json-path:2.9.0 is the latest release version in the Maven repository, which contains this(CVE-2024-57699) vulnerability. json-smart:2.5.2 addresses this high-severity vulnerability. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry when I was reviewing earlier I must have had the wrong branch checked out. I looked again and see that 2.5.2 replaces 2.5.0 everywhere. This should be good
Description
Upgrade the json-smart dependency to version 2.5.2 to address CVE-2024-57699. The json-smart dependency is a transitive dependency of com.jayway.jsonpath:json-path:2.9.0, which uses an older version that contains this vulnerability. Therefore, upgrading the json-smart dependency to 2.5.2 resolves the issue.
Motivation and Context
Impact
Test Plan
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.