Force transitive dependency commons-compress to 1.26.0 or newer (#3049)

This is to fix security issue CVE-2024-25710. Pull request: #3049
com-lihaoyi · Feb 24, 2024 · 65eedfe · 65eedfe
1 parent b416b60
commit 65eedfe
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/build.sc b/build.sc
@@ -186,7 +186,8 @@ object Deps {
     ivy"com.google.code.gson:gson:2.10.1",
     ivy"com.google.protobuf:protobuf-java:3.25.3",
     ivy"com.google.guava:guava:33.0.0-jre",
-    ivy"org.yaml:snakeyaml:2.2"
+    ivy"org.yaml:snakeyaml:2.2",
+    ivy"org.apache.commons:commons-compress:[1.26.0,)"
   )
 
   /** Used in tests. */