Fix GHSA-6fmv-xxpf-w3cw: pin plexus-utils 3.6.1 and suppress false positive#1138
Merged
Fix GHSA-6fmv-xxpf-w3cw: pin plexus-utils 3.6.1 and suppress false positive#1138
Conversation
Contributor
|
Are we confident about this change? Shannon added this back. Kevin mentioned maven3 is not compatible with 4.x |
Member
Author
|
Was that not for a different vulnerability? Since this lists anything below 4.0.3 as vulnerable: My plan was to merge this and run the scan again to verify we don't pull in this version anymore transitively. |
Contributor
|
AFAICS,
|
586819a to
7bfb2a5
Compare
7bfb2a5 to
62e7589
Compare
Jenson3210
approved these changes
Apr 8, 2026
62e7589 to
e863e42
Compare
Member
Author
|
Hmm; thanks! So then the issue appears to be slightly different: 3.6.1 already contains the fix, and we should continue to have that here to override the 3.6.0 coming in transitively. I've proposed an upstream fix as well then |
Member
Author
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses GHSA-6fmv-xxpf-w3cw (Zip Slip in plexus-utils
Expandclass).plexus-utilsfrom a direct compile dependency to<dependencyManagement>, pinned at 3.6.1 which contains the fix. The only classes used (Xpp3Dom,MXSerializer) are already provided by the existingplexus-xml:4.1.1dependency.Test plan
mvn compilepasses