Update rhino dependency
Opened this issue · 4 comments
wtrocki commented
Rhino https://mvnrepository.com/artifact/org.mozilla/rhino/1.7.14 is available and it contains a number of security patches.
See also: #27
wtrocki commented
I wanted to contribute that change but noticed that there is fixme comment:
// FIXME: update beyond 1.7.7.x once we're Java 8 or better.
Made PR to verify the changes: #105
dkirrane commented
Can this be merged?
cykl commented
Any news? Rhino 1.7.7.2 is reported as vulnerable by most tools. It would be great to update to latest version.
In the meantime, should I assume it's fine to force 1.7.14 if I'm running Java 21? The comment in code seems to imply old version has been pinned for pre Java 8 compatibility.
ken-i commented
Would like to see this fix merged / deployed or can we get a new version that jumps to Rhino 1.7.14 or higher?