lvincel commented on pull request #406:
URL: https://github.com/apache/maven/pull/406#issuecomment-737094812


   Us too, our several security scans each flag maven-resolver-*.1.4.1.jar 
involved in this CVE, we manually upgraded from the maven 3.6.3 release those 
libraries to 1.6.1, and it's fine now. The question we have is : Are those 
libraries causing the potential risk or is it the use that gradle did do with 
them that caused the risk in which case the CVE flags the wrong libraries; this 
is unclear. 


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to