From cdbb8f7ea06a36f4290a45f1638e26652c14227c Mon Sep 17 00:00:00 2001
From: Stephen Ni <nisiyong@users.noreply.github.com>
Date: Mon, 18 Nov 2024 09:09:05 +0800
Subject: [PATCH] Bump com.thoughtworks.xstream:xstream from 1.4.20 to 1.4.21
 to fix CVE-2024-47072 (#5280)

* build(deps): bump com.thoughtworks.xstream:xstream from 1.4.20 to 1.4.21

* build(deps): bump com.thoughtworks.xstream:xstream from 1.4.20 to 1.4.21
---
 CHANGES.md | 1 +
 pom.xml    | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index f726c5815bd..d62918c565f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -20,6 +20,7 @@ Apollo 2.4.0
 * [Refactor: align database ClusterName and NamespaceName fields lengths](https://github.com/apolloconfig/apollo/pull/5263)
 * [Feature: Added the value length limit function for AppId-level configuration items](https://github.com/apolloconfig/apollo/pull/5264)
 * [Fix: ensure clusters order in envClusters open api](https://github.com/apolloconfig/apollo/pull/5277)
+* [Fix: bump xstream from 1.4.20 to 1.4.21 to fix CVE-2024-47072](https://github.com/apolloconfig/apollo/pull/5280)
 
 ------------------
 All issues and pull requests are [here](https://github.com/apolloconfig/apollo/milestone/15?closed=1)
diff --git a/pom.xml b/pom.xml
index 31929d5d2bc..93db6c18277 100644
--- a/pom.xml
+++ b/pom.xml
@@ -200,11 +200,11 @@
 				<artifactId>commons-lang3</artifactId>
 				<version>${common-lang3.version}</version>
 			</dependency>
-			<!-- to fix CVE-2022-41966 -->
+			<!-- to fix CVE-2024-47072 -->
 			<dependency>
 				<groupId>com.thoughtworks.xstream</groupId>
 				<artifactId>xstream</artifactId>
-				<version>1.4.20</version>
+				<version>1.4.21</version>
 			</dependency>
 			<!--for test -->
 			<dependency>