From 45ce93c2c213e292e14dc854fcc9e864f72d46ea Mon Sep 17 00:00:00 2001 From: Lawrence Qiu Date: Mon, 22 Jun 2026 21:42:22 +0000 Subject: [PATCH] fix: upgrade commons-codec to 1.14 to resolve security vulnerability Upgrades the transitive dependency `commons-codec:commons-codec` (brought in via `httpclient`) to `1.14` to resolve a security vulnerability (SNYK-JAVA-COMMONSCODEC-561518) which affects versions older than 1.14. We cannot upgrade httpclient further because 4.5.14 is the latest version on the 4.x branch, and upgrading to 5.x would be a breaking change. BUG=496541059 TAG=agy CONV=b43d61a6-175a-4130-8ed4-ec217f123c55 --- pom.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pom.xml b/pom.xml index ca68c89db..3ade7f13b 100644 --- a/pom.xml +++ b/pom.xml @@ -160,6 +160,17 @@ xpp3 ${project.xpp3.version} + + + commons-codec + commons-codec + ${project.commons-codec.version} + org.apache.httpcomponents httpclient @@ -559,6 +570,7 @@ 1.1.4c 4.5.14 4.4.16 + 1.14 5.3.1 5.2.5 0.31.1