Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolves transitive dependencies for 2.7.0 #4308

Merged
merged 2 commits into from
Mar 21, 2024

Conversation

dlvenable
Copy link
Member

Description

This PR updates some transitive dependencies to resolve some CVEs:

I also moved some of the dependency constraints such that they are only in the projects needing them.

This is the last set of CVEs known to resolve for releasing 2.7.0.

Issues Resolved

Resolves #4282, #4290, #4296.

Check List

  • New functionality includes testing.
  • New functionality has a documentation issue. Please link to it in this PR.
    • New functionality has javadoc added
  • Commits are signed with a real name per the DCO

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

…3944, CVE-2023-52428. Move some constraints such that they are only in the projects needing them. Resolves opensearch-project#4282, opensearch-project#4290, opensearch-project#4296.

Signed-off-by: David Venable <dlv@amazon.com>
…back to the root.

Signed-off-by: David Venable <dlv@amazon.com>
@dlvenable dlvenable merged commit 507b2ed into opensearch-project:main Mar 21, 2024
71 of 74 checks passed
@dlvenable dlvenable deleted the 2.7-cves branch March 22, 2024 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2023-51775 (High) detected in jose4j-0.9.3.jar
3 participants