Welcome! Please see the About page for a little more info on how this works.
tools.deps.alpha 0.11.918 uses maven-core 3.6.3, which seems to be affected by CVE-2021-26291
Does this present a risk for users of tools.deps.alpha or the Clojure command-line tools? Would it make sense to bump the referenced version?
I have a jira https://clojure.atlassian.net/browse/TDEPS-178 open to evaluate the changes and update but have not yet had a chance to assess.
tools.deps layers some additional things over the top of Maven and is hard-coded to default to using https repos for Maven Central and Clojars as the first two repos it checks. tools.deps does NOT use Maven repositories in transitive deps.edn files, however it may use Maven repositories of pom-based Maven deps when resolving pom models.