Sorry, I hadn’t seen this response. Best practice is to include every dependency your application uses directly or transitively in the project’s parent pom.xml. That way you control the version of everything and aren’t dependent on other people’s stuff being upgraded.
Ralph > On Jul 9, 2021, at 4:49 AM, Daniel Wille <dwi...@gmail.com> wrote: > > That is good to know, and I appreciate that info. > > I know that making updates to libraries for reasons like this is > frowned upon by developers whose time is better spent fixing actual > problems. It does mean however that many users will be in a situation > where a corporate tool will detect the CVE, requiring the developer to > investigate so they can either explain why the CVE is a non-issue, or > force them to override the dependency in their build (which I did, > because that's the easiest course). > > Thanks, > > Daniel > >> Mitigate what? >> >> Commons FileUpload doesn't use the code in Commons IO affected by > CVE-2021-29425. >> >> Mark --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org
