Merge pull request urlaubsverwaltung#4907 from urlaubsverwaltung/cve-…

…common-compress Update commons-compress to 1.27.1 fixing CVEs
grafjo · Sep 24, 2024 · 5775e9d · 5775e9d
2 parents a72073d + 85e0fe4
commit 5775e9d
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pom.xml b/pom.xml
@@ -22,6 +22,13 @@
     <uv-extension-api.version>1.2.0</uv-extension-api.version>
     <jollyday.version>0.32.0</jollyday.version>
 
+    <!-- Remove commons-compress dependency when testcontainers ships with commons-compress >= 1.27.1, see
+     https://github.com/testcontainers/testcontainers-java/issues/8338
+     https://www.cve.org/CVERecord?id=CVE-2024-25710
+     https://www.cve.org/CVERecord?id=CVE-2024-26308
+    -->
+    <commons-compress.version>1.27.1</commons-compress.version>
+
     <docker-publish-registry>registry.example.com</docker-publish-registry>
     <docker-publish-registry-path>path/example</docker-publish-registry-path>
     <docker-publish-registry-username>username</docker-publish-registry-username>
@@ -268,6 +275,12 @@
       <artifactId>junit-jupiter</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-compress</artifactId>
+      <version>${commons-compress.version}</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>com.tngtech.archunit</groupId>
       <artifactId>archunit-junit5</artifactId>