Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(dependencies): pin org.bitbucket.b_c:jose4j to version 0.9.3 (#…
…1159) to resolve GHSA-jgvc-jfgh-rjvv No change in dependencies in kork. $ ./gradlew clouddriver-kubernetes:dependencies and ./gradlew orca-clouddriver:dependencies change as follows. before: +--- io.kubernetes:client-java -> 11.0.4 | \--- org.bitbucket.b_c:jose4j:0.7.3 | \--- org.slf4j:slf4j-api:1.7.21 -> 1.7.36 after: +--- io.kubernetes:client-java -> 11.0.4 | \--- org.bitbucket.b_c:jose4j:0.7.3 -> 0.9.3 | \--- org.slf4j:slf4j-api:1.7.21 -> 1.7.36 Note that spinnaker/clouddriver#6133 teaches clouddriver to use version 13.0.2 of io.kubernetes.client-java-api-fluent. It's easy enough to get version 13.0.2 of io.kubernetes.client-java as well. Unfortunately, that only brings the dependency on org.bitbucket.b_c:jose4j from 0.7.3 to 0.7.8 which doesn't resolve the vulnerability. It takes at least [version 18.0.0 of io.kubernetes.java:client-java](https://github.com/kubernetes-client/java/blob/v18.0.0/pom.xml#L153) to get version 0.9.3 of org.bitbucket.b_c:jose4j "naturally", and doing that causes a bunch of compiler errors in clouddriver. Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
- Loading branch information