You can configure dependency resolution rules with your build tool of choice to override the selection of version 3.2.1 of the commons-collections dependency. Also, development of this library has been moved to https://github.com/kordamp/json-lib
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi guys,
The version of json-lib available in mavenrepository https://mvnrepository.com/artifact/net.sf.json-lib/json-lib (2.4 latest) has a commons-collection3.2.1 dependency which has a security vulnerability https://www.cvedetails.com/cve/CVE-2017-15708/ and is fixed in commons-collection3.2.2.
Is there any plan address this?
Raf.
You can configure dependency resolution rules with your build tool of choice to override the selection of version
3.2.1
of thecommons-collections
dependency. Also, development of this library has been moved to https://github.com/kordamp/json-lib