See: mvn dependency:tree -f "C:\Users\%USERNAME%\.m2\repository\io/codearte/gradle/nexus/gradle-nexus-staging-plugin/0.30.0/gradle-nexus-staging-plugin-0.30.0.pom" [INFO] Scanning for projects... [INFO] [INFO] --------< io.codearte.gradle.nexus:gradle-nexus-staging-plugin >-------- [INFO] Building Gradle Nexus staging plugin 0.30.0 [INFO] from gradle-nexus-staging-plugin-0.30.0.pom [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- dependency:3.7.0:tree (default-cli) @ gradle-nexus-staging-plugin --- [INFO] io.codearte.gradle.nexus:gradle-nexus-staging-plugin:jar:0.30.0 [INFO] +- com.squareup.okhttp3:okhttp:jar:4.9.1:compile [INFO] | +- com.squareup.okio:okio:jar:2.8.0:compile [INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.0:compile [INFO] | \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.10:compile [INFO] | \- org.jetbrains:annotations:jar:13.0:compile [INFO] +- org.spockframework:spock-core:jar:1.3-groovy-2.5:test [INFO] +- info.solidsoft.spock:spock-global-unroll:jar:0.5.1:test [INFO] +- org.objenesis:objenesis:jar:3.1:test [INFO] +- net.bytebuddy:byte-buddy:jar:1.10.21:test [INFO] \- junit:junit:jar:4.13.2:test [INFO] \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] ------------------------------------------------------------------------ [INFO] BUILD SUCCESS [INFO] ------------------------------------------------------------------------ [INFO] Total time: 1.265 s [INFO] Finished at: 2025-11-13T11:24:47-05:00 [INFO] ------------------------------------------------------------------------
No commons-lang Gary On 2025/11/13 16:14:57 Gary Gregory wrote: > How about using the > current io.codearte.gradle.nexus:gradle-nexus-staging-plugin 0.30.0 (from > 2021!) instead of a plugin from 2019? > > That might help... > > Gary > > On Thu, Nov 13, 2025, 10:23 Vladimir Sitnikov <[email protected]> > wrote: > > > Hi, > > > > CVE-2025-48924 impacts commons-lang:2.6, however the clients have > > no option to avoid the CVE in their apps. > > > > The upgrade from commons-lang 2 to 3 requires client code rewrite, and > > asking > > clients to rewrite their code to avoid CVE does not seem right. > > > > For instance, I have the following dependency chain: > > > > +--- io.codearte.gradle.nexus:gradle-nexus-staging-plugin:0.21.2 > > \--- org.codehaus.groovy.modules.http-builder:http-builder:0.7.1 > > +--- net.sf.json-lib:json-lib:2.3 > > +--- commons-lang:commons-lang:2.4 <- CVE-2025-48924 > > \--- net.sf.ezmorph:ezmorph:1.0.6 > > \--- commons-lang:commons-lang:2.3 -> 2.4 <- > > CVE-2025-48924 > > > > The software in question is somewhat outdated, and migrating to a > > completely different stack would > > take enormous time. > > > > Would you please consider fixing the CVE and releasing it via 2.6.1? > > As far as I understand, backporting the fix would be trivial, and it would > > really help > > for those who still use commons-lang:2.6. > > > > I could help with backporting the fix, however I would need the help of PMC > > to release 2.6.1 > > > > Vladimir > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
