Patch vunerable dependency
Brought to you by:
aruckerjones,
sconway
Menu
▾
▴
Unfortunately there is not an update for commons-collections. They stopped at 3.2.2 and started work on its replacement - commons-collections4. Which unfortunately is not compatible with commons-beanutils:commons-beanutils:1.9.4 which is the dependency that is opencsv uses that has the transitive dependency.
Fortunately the methods that are vulnerable are not used by commons-beanutils.
But if that is not enough I would recommend you to petition the apache foundation to create a version of commons-beanutils that uses commons-collections4. When that happens we will be able to upgrade.
Added note - take heart! Out of curiousity I downloaded the source for commons-beansutil and it has been renamed to commons-beanutils2 in active development.
looking at the dependency tree I do not see a dependency on commons-collections but there is one on commmons-collections-testframework... whose last update was in 2013... So I am not sure if it would have the same issue or not. Hopefully not.
But once commons-beanutils2 is released we will look at upgrading opencsv.