Merge pull request #1013 from solita/feature/AE-1967-fix-vulns

Bring in a newer Jetty client
solita · Oct 5, 2023 · 099c7a7 · 099c7a7
2 parents cc5f10e + 97be63e
commit 099c7a7
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn
@@ -45,7 +45,9 @@
  ring/ring-jetty-adapter
  org.clojure/data.json]}
  org.clojure/core.match {:mvn/version "1.0.1"}
- com.cognitect.aws/api {:mvn/version "0.8.686"}
+ com.cognitect.aws/api {:mvn/version "0.8.686"
+ :exclusions [org.eclipse.jetty/jetty-client]} ; Replaced by a newer version
+ org.eclipse.jetty/jetty-client {:mvn/version "9.4.52.v20230823"} ; aws-api uses vulnerable jetty version. Bring in a bit newer one
  com.cognitect.aws/endpoints {:mvn/version "1.1.12.504"}
  com.cognitect.aws/s3 {:mvn/version "848.2.1413.0"}
  de.ubercode.clostache/clostache {:mvn/version "1.4.0"}