New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reporting vulnerabilities in dependencies #1610
Comments
Thanks @stealthrabbi ! We have upgraded Jetty in Javalin 4.6.4, which was released earlier today :) |
Ah ok thanks. 4.6.3 is still showing as the latest on maven central. Does it take time to push up? |
Yes, it usually takes a few hours. mvnrepository is actually not the official page, https://search.maven.org is. You can find the artifact here: https://search.maven.org/artifact/io.javalin/javalin/4.6.4/jar, but it's also not searchable there yet. |
I've pulled in Javalin 4.6.4 which is using Jetty 9.4.48.v20220622 but I'm still getting the same high priority warning for CVE-2022-2191. Notably support for Jetty 9.4 was dropped on June 1st (jetty/jetty.project#7958). I may have missed it but I don't see a fix for CVE-2022-2191 in the 9.4 branch. |
@ajsutton 9.4.x is not affected. See here: jetty/jetty.project#8161 |
@Playacem Thank you - the CVE has the wrong versions and I hadn't seen the comments at the bottom of the PR. |
I am looking to integrate this library in to my application that I scan with trivy. Trivy has reported some vulns with the jetty libraries that are included. I'm on Javalin 4.6.3.
The text was updated successfully, but these errors were encountered: