Merge pull request #2609 from guardian/asyncHttpClient-vulnerability

Add dependencyOverride for asyncHttpClient
guardian · Dec 20, 2024 · f118d16 · f118d16
2 parents 6a60497 + 9ffc50e
commit f118d16
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/build.sbt b/build.sbt
@@ -362,7 +362,7 @@ def lambdaProject(
       riffRaffUploadManifestBucket := Option("riffraff-builds"),
       riffRaffManifestProjectName := s"support-service-lambdas::$projectName",
       riffRaffArtifactResources += (file(s"handlers/$projectName/$cfName"), s"cfn/$cfName"),
-      dependencyOverrides ++= jacksonDependencies,
+      dependencyOverrides ++= jacksonDependencies :+ asyncHttpClientOverride,
       libraryDependencies ++= externalDependencies ++ logging,
       Test / test := ((Test / test) dependsOn (projectDependencies.map(_.project / Test / test) *)).value,
       Test / testOnly := ((Test / testOnly) dependsOn (projectDependencies.map(_.project / Test / test) *)).evaluated,

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
@@ -56,8 +56,13 @@ object Dependencies {
   // HTTP clients
   val sttp = "com.softwaremill.sttp.client3" %% "core" % sttpVersion
   val sttpCirce = "com.softwaremill.sttp.client3" %% "circe" % sttpVersion
+
+  // Override to fix this vulnerability https://github.com/guardian/support-service-lambdas/security/dependabot/24
+  // This is a transitive dependency of async-http-client-backend-cats-ce2 so when we upgrade that we can remove this
+  val asyncHttpClientOverride = "org.asynchttpclient" % "async-http-client" % "2.12.4"
   val sttpAsyncHttpClientBackendCats =
     "com.softwaremill.sttp.client3" %% "async-http-client-backend-cats-ce2" % sttpVersion
+
   val sttpOkhttpBackend =
     "com.softwaremill.sttp.client3" %% "okhttp-backend" % sttpVersion
   val okhttp3 = "com.squareup.okhttp3" % "okhttp" % "4.12.0"