Welcome! Please see the About page for a little more info on how this works.

0 votes
in tools.deps by

tools.deps.alpha 0.11.918 uses maven-core 3.6.3, which seems to be affected by CVE-2021-26291

Does this present a risk for users of tools.deps.alpha or the Clojure command-line tools? Would it make sense to bump the referenced version?

1 Answer

+1 vote
selected by
Best answer

I have a jira https://clojure.atlassian.net/browse/TDEPS-178 open to evaluate the changes and update but have not yet had a chance to assess.

tools.deps layers some additional things over the top of Maven and is hard-coded to default to using https repos for Maven Central and Clojars as the first two repos it checks. tools.deps does NOT use Maven repositories in transitive deps.edn files, however it may use Maven repositories of pom-based Maven deps when resolving pom models.

Thank you. I'll keep an eye on that ticket.
Did a prerelease of Clojure CLI today that includes this bump for evaluation.
Wiped m2 and gitlibs locally, upgraded to this version, and it seems to be doing its job. I do depend on a few custom repositories but as they are all https I haven't experienced any blips. Thank you for the quick action.
Now released as stable version