Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release new Version to Maven Central to remove vulnerable dependencies #188

Closed
vbrandl opened this issue May 5, 2021 · 1 comment
Closed

Release new Version to Maven Central to remove vulnerable dependencies #188

vbrandl opened this issue May 5, 2021 · 1 comment

Comments

@vbrandl
Copy link

vbrandl commented May 5, 2021
edited
Loading

The jasperreports version currently on Maven Central depends on jackson-databind 2.10.0, which has known vulnerabilities. This was fixed in b3e7721 but there hasn't been a new version on maven central.

Could you publish a patch release to address this?

Also, there is a vulnerability in itext: https://ossindex.sonatype.org/vulnerability/9a9a3093-8992-4530-9de5-4361cb866b38?component-type=maven&component-name=com.lowagie.

Maybe this can be fixed, too.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@teodord @vbrandl