Synk reports the low version of okHttp3 dependency

Question

Synk reports the low version of okHttp3 dependency

MiaousX opened this issue 2 years ago · 3 comments

Problem
When I run my project through pipeline, synk alert me that launchdarkly use the low version of okhttp3 which may have some information exposure risks.

Desired Solution
In my project, I used gradle to exclude the okhttp3 in launchdarkly and implement latest version by myself. Would you like to consider updating the version in your repo?

Additional context
I used launchdarkly version 5.9.0, and I haven't do much research on latest version (if you already updated it, please ignore). Thanks.

Answer 1 · 2022-07-26T02:20:36.000Z

For your reference:
https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044

Answer 2 · 2022-07-26T17:13:16.000Z

Thanks. Ironically, I think I was the first to report this problem, but after they released a patch for it, we had not updated to that patch because we had already implemented a workaround to prevent any such values from being logged. So we don't think it is an actual risk at this point, but we still should update the dependency version, especially now that there is a CVE for this issue.

Answer 3 · 2022-07-28T21:02:15.000Z

This is fixed in the 5.9.3 release.