All, When looking at forking and updating maven-source-plugin to get rid of it's dependency on the vulnerable package - org.codehaus.plexus : plexus-utils
I found that these packages are also using vulnerable version of it. As fixing this issue would require multiple releases, can I prevail upon you guys to do a fix? org.apache.maven : maven-core 3.0 org.apache.maven : maven-model 3.0 org.apache.maven : maven-compat 3.0 org.apache.maven.plugin-testing : maven-plugin-testing-harness 2.1 org.apache.maven : maven-plugin-api 3.0 Incidentally, this vulnerability was found using the IntelliJ plugin for Snyk. These guys offer the plugin for free to open source projects. Given that you are providing a core service to half the industry, can I ask you to evaluate using it across all Apache packages as standard? Their vulnerability database is very well maintained. Regards Bradley Atkins Synk site - https://snyk.io The information included in this email and any files transmitted with it may contain information that is confidential and it must not be used by, or its contents or attachments copied or disclosed to, persons other than the intended addressee. If you have received this email in error, please notify BJSS. In the absence of written agreement to the contrary BJSS' relevant standard terms of contract for any work to be undertaken will apply. Please carry out virus or such other checks as you consider appropriate in respect of this email. BJSS does not accept responsibility for any adverse effect upon your system or data in relation to this email or any files transmitted with it. BJSS Limited, a company registered in England and Wales (Company Number 2777575), VAT Registration Number 613295452, Registered Office Address, First Floor, Coronet House, Queen Street, Leeds, LS1 2TW.
