technomancy/leiningen

Address commons-io vuln

Closed this issue · 2 comments

Grype detects the next vuln in root/.lein/self-installs/leiningen-2.11.2-standalone.jar:

NAME                        INSTALLED                FIXED-IN  TYPE          VULNERABILITY        SEVERITY
commons-io                  2.8.0                    2.14.0    java-archive  GHSA-78wr-2p64-hpwj  High

Would be nice to update Lein to not trigger this report.

This isn't relevant to Leiningen's use of commons-io, which does not operate on untrusted input. If an attacker can replace XML in a repository you read from, they can do much worse than consume CPU!

I understand, it's common case with vulns that they are unreachable. But why not bump the dep simply to get rid of this report in all the consumers' automated pipelines?