Force dependency version to avoid vulnerability

tidal-music · Dec 5, 2024 · 5352003 · 5352003
1 parent 4ebe157
commit 5352003
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/flo/build.gradle.kts b/flo/build.gradle.kts
@@ -7,6 +7,21 @@ android {
     namespace = "com.tidal.sdk.flo"
 }
 
+configurations.all {
+    resolutionStrategy.eachDependency {
+        if (requested.group != "com.google.guava") {
+            return@eachDependency
+        }
+        if (requested.name != "guava") {
+            return@eachDependency
+        }
+        // https://nvd.nist.gov/vuln/detail/cve-2023-2976, comes via moshi-kotlin-codegen 1.15.1
+        if (requested.version == "30.1.1-jre") {
+            useVersion("32.0.1-jre")
+        }
+    }
+}
+
 dependencies {
     ksp(libs.moshi.codegen)
     implementation(libs.moshi)