Update Okio to 3.4.0 or higher

Question

Update Okio to 3.4.0 or higher

nicbell opened this issue a year ago · 4 comments

nicbell commented a year ago

It would be good for Okio to be updated as the version in this project has reported vulnerabilities.

How to fix?

Upgrade com.squareup.okio:okio to version 3.4.0 or higher.

https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKIO-5773320

nicbell commented 10 months ago

Thanks!

Answer 1 · 2024-01-24T16:13:05.000Z

Ah it looks like it's already updated to in the TOML okio = "com.squareup.okio:okio:3.7.0" just hasn't been a release of Moshi in a while.

Answer 2 · 2024-01-24T16:43:45.000Z

It's also worth noting that Moshi does not exercise the codepath in question (which is not even really a vulnerability, just a bug that causes a crash).

Perhaps we can put out a point release. There only seems to be one or two bugfixes since the last release. Other than that it's just dependency bumps like this.

Answer 3 · 2024-01-30T15:02:34.000Z

1.15.1 released