[
https://issues.apache.org/jira/browse/MNG-7513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17567683#comment-17567683
]
Michael Osipov commented on MNG-7513:
-------------------------------------
[~slachiewicz], we do as a transitive dep:
{noformat}
[INFO] +- org.apache.maven.shared:maven-shared-utils:jar:3.3.4:compile
[INFO] | \- commons-io:commons-io:jar:2.6:compile
{noformat}
and the only thing used from Maven Shared Utils are message colorization stuff.
We can take a look at all relevant code in MSU and likely exclude Commons IO.
> Address commons-io_commons-io vulnerability found in maven latest version
> -------------------------------------------------------------------------
>
> Key: MNG-7513
> URL: https://issues.apache.org/jira/browse/MNG-7513
> Project: Maven
> Issue Type: Task
> Affects Versions: 3.8.6
> Reporter: Polu Ram Charan Teja
> Priority: Major
>
> In the maven latest version 3.8.6 one dependency is identified with known
> vulnerabilities in commons-io-2.6.jar CVE-2021-29425. so please suggest if
> you have plan to upgrade commons-io to latest version as we are getting
> impacted due to security checks
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
