Update transitive dependency commons-beanutils.
afs opened this issue · comments
Andy Seaborne commented
rdf-tables 1.0.4 has a dependency that includes commons-beanutils via com.opencsv:opencsv.
CVE-2019-10086 for commons-beanutils
is fixed in 1.9.4.
io.github.galbiston:rdf-tables:jar:1.0.4:compile
+- com.opencsv:opencsv:jar:3.9:runtime
\- commons-beanutils:commons-beanutils:jar:1.9.3:runtime
com.opencsv:opencsv is now at 5.5.2 which is quite a jump.
Forcing commons-beanutils 1.9.4 should work as it is a x.x.1 release and the Apache Commons project components follow semantic versioning quite carefully.
For jena-fuseki-geosparql
, we can make an exclusion and explicit dependency to be 1.9.4.