Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downgrade cron-utils to 9.2.0 #873

Merged
merged 2 commits into from
Aug 28, 2023
Merged

Downgrade cron-utils to 9.2.0 #873

merged 2 commits into from
Aug 28, 2023

Commits on Aug 26, 2023

  1. Downgrade cron-utils to 9.2.0 

    Motivation:
We have upgraded cron-utils to 9.2.1 to address [CVE-2021-41269](GHSA-p9m8-27x8-rg87).
The 9.2.1 version uses slf4j2 that must be used with logback 1.3 or 1.4.
Because we use logback 1.2 version in Armeria, we need to exclude slf4j2: line#872
Just excluding slf4j should be okay because cron-utils isn't using any APIs that are introduced after slf4j 2.0:
https://github.com/search?q=repo%3Ajmrozanec%2Fcron-utils+slf4j&type=code
However, there's no guarantee that cron-utils won't use the new APIs in the future.
So, I think we should stop upgrading it until there's another CVE is found or Armeria uses higher version of Logback and Slf4j.\

While, I'm working on this I found out that cron-utils 9.2.0, which is one micro version eariler, uses Slf4j 1.x which is compatible with Armeria
so it's better to use that version.

Modification:
- Downgrade cron-utils to 9.2.0

Result:
- Resovle dependency conflict for server module.
    @minwoox
    minwoox committed Aug 26, 2023
    Configuration menu
    Copy the full SHA
    717a4e8 View commit details
    Browse the repository at this point in the history

Commits on Aug 28, 2023

  1. Address the comment from @trustin

    @minwoox
    minwoox committed Aug 28, 2023
    Configuration menu
    Copy the full SHA
    be016dc View commit details
    Browse the repository at this point in the history