AE-1893: Exclude batik dependencies from openhtmltopdf-svg-support an…

…d depend directly to newer versions - Newer versions contain a bunch of fixes to known vulnerabilities
solita · Jun 28, 2023 · 585d656 · 585d656
1 parent 45c5b5e
commit 585d656
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/etp-backend/deps.edn b/etp-backend/deps.edn
@@ -52,9 +52,19 @@
  commonmark-hiccup/commonmark-hiccup {:mvn/version "0.2.0"}
 
  com.openhtmltopdf/openhtmltopdf-pdfbox {:mvn/version "1.0.10"}
- com.openhtmltopdf/openhtmltopdf-svg-support {:mvn/version "1.0.10"}
  com.openhtmltopdf/openhtmltopdf-slf4j {:mvn/version "1.0.10"}
 
+ ;; Contains vulnerable version of batik-* libraries, exclude those
+ ;; and add direct dependency to newer versions
+ com.openhtmltopdf/openhtmltopdf-svg-support
+ {:mvn/version "1.0.10"
+ :exclusions [org.apache.xmlgraphics/batik-transcoder
+ org.apache.xmlgraphics/batik-codec
+ org.apache.xmlgraphics/batik-ext]}
+ org.apache.xmlgraphics/batik-transcoder {:mvn/version "1.16"}
+ org.apache.xmlgraphics/batik-codec {:mvn/version "1.16"}
+ org.apache.xmlgraphics/batik-ext {:mvn/version "1.16"}
+
  ;; Non-alpha version does not support xml namespaces
  org.clojure/data.xml {:mvn/version "0.2.0-alpha6"}
  camel-snake-kebab/camel-snake-kebab {:mvn/version "0.4.1"}