feignclient transitive dependency vulnerability issue apache commons fileupload 1.4 in gradle #1975
Comments
|
I have the same problem. |
|
I would say to use latest spring version. Feign itself doesn't use commons fileupload |
|
The issue lies with feign-form, not feign. Here's a PR to update the dependency, but the project appears dead. Spring appears to be wanting to drop the dependency on feign-form as they see the project as dead. |
|
Hello @will-may-cc, this was a comment by a user. The Spring Cloud team has not expressed this kind of opinion in any way. We would definitely like to see gh-115 merged and the issue addressed directly in feign-form. CC @velo . |
|
We can see about update the dependency, but in the meantime, it should trivial for user to override the transient themselves. I'm not sure where the urgency here is otherwise. Is there something specific the use of the older version is preventing other than being reported on CVE and Security scans? |
kdavisk6
added
feign-form
In one of the project, I am using spring cloud starter openfeign 3.1.2 which is internally using apache commons fileupload version 1.4. Blackduck is raising vulnerability issue with apache commmons fileupload version 1.4, so I need to use apache commons fileupload version 1.5. How can I use spring cloud starter openfeign 3.1.2 with apache commons fileupload 1.5 or is there any version of spring cloud starter openfeign which is using apache commmons fileupload version 1.5?
The text was updated successfully, but these errors were encountered: