Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
5.8.0
-
None
Description
Although not as vulnerable as earlier versions, quickstart is using a log4j2 which is still vulnerable. Please upgrade from 2.16.0 to 2.17.1
While doing that, "mvn versions:display-dependency-updates" shows the following libraries which can be updated. I think the jackson update is a security fix.
com.fasterxml.jackson.core:jackson-core ............. 2.12.5 -> 2.13.1
com.fasterxml.jackson.core:jackson-databind ......... 2.12.5 -> 2.13.1
com.fasterxml.jackson.dataformat:jackson-dataformat-yaml ..2.12.5 -> 2.13.1
org.eclipse:yasson ....................................2.0.2 -> 2.0.4
org.junit.jupiter:junit-jupiter .......................5.7.2 -> 5.8.2
Also "mvn versions:display-plugin-updates" gives warnings that the following plugins do not have versions specified so they could be added to the build section of pom.xml.
[WARNING] The following plugins do not have their version specified:
[WARNING] maven-clean-plugin ...................... (from super-pom) 3.1.0
[WARNING] maven-deploy-plugin .................. (from super-pom) 3.0.0-M1
[WARNING] maven-install-plugin ................. (from super-pom) 3.0.0-M1
[WARNING] maven-resources-plugin .................. (from super-pom) 3.2.0
[WARNING] maven-site-plugin ....................... (from super-pom) 3.9.1