In sbt you can run `show evicted` to print the dependencies and what has
been overridden, although usually the highest version is chosen by default,
so it is a bit confusing that a earlier version was chosen.
Then something like
Seems reasonable to me. Note that with all the updates, it's important
to double check that non of the licenses or notice information changes
for any of the dependency (either direct or transitive). Note that I
know changes were made to the bin.NOTICE and bin.LICENSE files for
Daffodil from
I'm looking forward to RC3.
On Fri, Mar 25, 2022 at 11:06 AM Shane Dell wrote:
> Okay so here is what I was able to find last night:
>
> - Adding the dependencyOverrides for commons-lang fixes the CVE issue and
> causes no issue
> to build
> - Updating "logback-classic" from 1.2.3 to 1.2.11
Okay so here is what I was able to find last night:
- Adding the dependencyOverrides for commons-lang fixes the CVE issue and
causes no issue
to build
- Updating "logback-classic" from 1.2.3 to 1.2.11 fixes the CVE issues and
causes no issue to
build
- Updating to daffodil 3.3.0 causes no issue
I think the log4cats findings are false positives. The links that
dependencyCheck provides for the log4cats findings are here:
https://ossindex.sonatype.org/component/pkg:maven/org.typelevel/log4cats-core_2.12@2.1.0