[Question] Is there a plan to fix the vulnerabilities in the dependency software?

[minchai23]

Search before asking

• I had searched in the issues and found no similar issues.

Question

1. CVE-2023-39017 in Quartz 2.3.2，API misuse of org.quartz.jobs.ee.jms.SendQueueMessageJob.execute would lead the code injection vulnerability. quartz-scheduler/quartz#943
2. Other Vulnerabilities in Spring Boot's dependent software

[lprimak]

Yes. We run security scans and dependabot to keep dependencies up to date.
Currently, Security scans do not show any vulnerabilities in Shiro.

There are no current vulnerabilities listed in "Spring Boot's dependent software" that we are aware of.

I do not believe Shiro has is actually using vulnerability in the above CVE, so it doesn't really apply here.
Also, looks like Quartz scheduler is abandoned.

I am going to close this issue. Will leave your PR open under discussion in Slack