nsoft commented on issue #2006: URL: https://github.com/apache/shiro/issues/2006#issuecomment-2677299943
Main seems to be referencing 4.2.2 which is over 6 years old, so it does seem that there may be need for an update to the guice dependency. Guice is now on 7.x (released may 2024) and still active (14 commits in 2025) it would be nice not to have to rip guice out of the code I already have written... This module also seems to be referencing log4j1.2 directly (not transitive) for some reason which is a bit odd since that is almost 10 years past end of life... IDE notes that and a couple other CVE's so it may be useful to update deps in general. I see some of these are likely not relevant, such as the Socketserver and JDBCAppender related CVEs for log4j, but it does generally make life easier for folks not to have to sort through such things.  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
