Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: force okio version and upgrade okhttp3 to latest stable release #275

Merged
merged 2 commits into from Sep 8, 2023
Merged

chore: force okio version and upgrade okhttp3 to latest stable release #275

merged 2 commits into from Sep 8, 2023

Conversation

dfederschmidt
Copy link
Contributor

@dfederschmidt dfederschmidt commented Sep 8, 2023
edited

The following PR upgrades okhttp3 to the latest available stable version. Due to a CVE released for the transitive dependency okio. Unfortunately, no stable version of okhttp3 exists that we can upgrade to.

This PR excludes okio from the dependency resolution of okhttp3 and adds it as a direct dependency instead.

According to square/okhttp#7944 this is the recommendation by the maintainers. There is no timeline for a 4.12.x release to mitigate this yet.

This is what the updated depdendency tree looks like

[INFO] --- dependency:3.6.0:tree (default-cli) @ splunk-library-javalogging ---
[INFO] com.splunk.logging:splunk-library-javalogging:jar:1.11.7
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.slf4j:slf4j-api:jar:1.7.36:test (scope not updated to provided)
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.11:provided
[INFO] |  +- (ch.qos.logback:logback-core:jar:1.2.11:provided - omitted for duplicate)
[INFO] |  \- (org.slf4j:slf4j-api:jar:1.7.32:provided - omitted for conflict with 1.7.36)
[INFO] +- ch.qos.logback:logback-core:jar:1.2.11:provided (scope not updated to provided)
[INFO] +- ch.qos.logback:logback-access:jar:1.2.11:provided
[INFO] |  \- (ch.qos.logback:logback-core:jar:1.2.11:provided - omitted for duplicate)
[INFO] +- com.squareup.okhttp3:okhttp:jar:4.11.0:compile
[INFO] |  +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.20:compile
[INFO] |  |  +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.20:compile
[INFO] |  |  \- org.jetbrains:annotations:jar:13.0:compile
[INFO] |  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.20:compile
[INFO] |     +- (org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.20:compile - omitted for duplicate)
[INFO] |     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.20:compile
[INFO] |        \- (org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.20:compile - omitted for duplicate)
[INFO] +- com.squareup.okio:okio:jar:3.5.0:compile
[INFO] |  \- com.squareup.okio:okio-jvm:jar:3.5.0:compile
[INFO] |     +- (org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.9.0:compile - omitted for conflict with 1.6.20)
[INFO] |     \- (org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.9.0:compile - omitted for conflict with 1.6.20)
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.2:provided
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.2:provided
[INFO] |  \- (org.apache.logging.log4j:log4j-api:jar:2.17.2:provided - omitted for duplicate)
[INFO] +- com.splunk:splunk:jar:1.6.5.0:test
[INFO] +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] \- org.apache.commons:commons-lang3:jar:3.12.0:test

@fantavlik fantavlik merged commit 53aff54 into splunk:main Sep 8, 2023
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@dfederschmidt @fantavlik