FWIW, Libraries generally are compatible with newer versions for their dependencies, so long as the major version number doesn’t change. So you can mitigate this yourself by updating your application to use Commons IO 2.7 or later.
Ralph > On Jul 9, 2021, at 4:11 AM, Daniel Wille <[email protected]> wrote: > > Hi all, > > I recently noted that commons-fileupload:commons-fileupload:1.4 has a > dependency on commons-io:commons-io:2.2, which has a CVE (CVE-2021-29425). > This could be mitigated by simply updating the dependency version to 2.7 or > later. Would it be possible to publish a newer version of > commons-fileupload with these changes? > > Thanks, > Daniel Wille --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
