Merge pull request #120 from yetanalytics/jetty-nvd-fixes

Jetty NVD fixes

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Change Log
 
+## [0.3.2] - 2023-10-03
+- Update server Jetty dependencies to v9.4.52 to address CVEs.
+
 ## [0.3.1] - 2023-07-24
 - Fix bug where the same `any` and `all` values are chosen within the same generated sequence.
 

deps.edn

@@ -41,8 +41,24 @@
   :server
   {:extra-paths ["src/server"]
    :extra-deps
-   {io.pedestal/pedestal.service {:mvn/version "0.6.0"}
-    io.pedestal/pedestal.jetty   {:mvn/version "0.6.0"}
+   {;; Jetty deps - need to exclude and use v9.4.52 due to CVEs
+    io.pedestal/pedestal.jetty
+    {:mvn/version "0.6.0"
+     :exclusions [org.eclipse.jetty/jetty-server
+                  org.eclipse.jetty/jetty-servlet
+                  org.eclipse.jetty.alpn/alpn-api
+                  org.eclipse.jetty/jetty-alpn-server
+                  org.eclipse.jetty.http2/http2-server
+                  org.eclipse.jetty.websocket/websocket-api
+                  org.eclipse.jetty.websocket/websocket-servlet
+                  org.eclipse.jetty.websocket/websocket-server]}
+    org.eclipse.jetty/jetty-server       {:mvn/version "9.4.52.v20230823"}
+    org.eclipse.jetty/jetty-servlet      {:mvn/version "9.4.52.v20230823"}
+    org.eclipse.jetty.alpn/alpn-api      {:mvn/version "1.1.3.v20160715"}
+    org.eclipse.jetty/jetty-alpn-server  {:mvn/version "9.4.52.v20230823"}
+    org.eclipse.jetty.http2/http2-server {:mvn/version "9.4.52.v20230823"}
+    ;; Other server deps
+    io.pedestal/pedestal.service {:mvn/version "0.6.0"}
     org.slf4j/slf4j-simple       {:mvn/version "1.7.28"}
     clj-http/clj-http            {:mvn/version "3.12.3"}
     environ/environ              {:mvn/version "1.1.0"}