Update rhino dependency

Question

Update rhino dependency

Opened this issue a year ago · 4 comments

Rhino https://mvnrepository.com/artifact/org.mozilla/rhino/1.7.14 is available and it contains a number of security patches.

See also: #27

Answer 1 · 2023-08-29T13:58:40.000Z

I wanted to contribute that change but noticed that there is fixme comment:

// FIXME: update beyond 1.7.7.x once we're Java 8 or better.

Made PR to verify the changes: #105

Answer 2 · 2023-11-15T12:17:39.000Z

Can this be merged?

Answer 3 · 2024-04-25T10:16:08.000Z

Any news? Rhino 1.7.7.2 is reported as vulnerable by most tools. It would be great to update to latest version.

In the meantime, should I assume it's fine to force 1.7.14 if I'm running Java 21? The comment in code seems to imply old version has been pinned for pre Java 8 compatibility.

Answer 4 · 2024-08-11T05:22:56.000Z

Would like to see this fix merged / deployed or can we get a new version that jumps to Rhino 1.7.14 or higher?