plaid-java icon indicating copy to clipboard operation
plaid-java copied to clipboard
verified publisher icon plaid

com.squareup.okio:okio transitive dependency has security vulnerability

Open lukewpatterson opened this issue 2 years ago • 1 comments

From mvn dependency:tree

[INFO] +- com.plaid:plaid-java:jar:17.0.0:compile
[INFO] |  +- com.squareup.okhttp3:okhttp:jar:4.9.3:compile
[INFO] |  |  +- com.squareup.okio:okio:jar:2.8.0:compile

My build report is showing this vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

The direct dependency com.squareup.okhttp3:okhttp, which brings in the problematic transitive dependency, looks like it will be releasing a new version very soon which addresses the issue - https://github.com/square/okhttp/issues/8050

According to the vulnerability report, it looks like com.squareup.okio:okio needs to be at least at version 3.4.0.

I just wanted to make sure this was on your radar and was hoping it could be included in the release that fixes the other ticket I just filed https://github.com/plaid/plaid-java/issues/397

lukewpatterson avatar Oct 17 '23 02:10 lukewpatterson

4.12.0 released

yschimke avatar Oct 18 '23 20:10 yschimke

A PR has been merged that addresses this and it should be shipped in the next client library release (most likely this month)

phoenixy1 avatar Jan 07 '25 01:01 phoenixy1