Conversation
This was upgraded to work around some vulnerability issues that do not exist as of today.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ede7d1076f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| exclude(group = "org.mozilla", module = "rhino") | ||
| } | ||
| implementation("org.mozilla:rhino:1.9.0") | ||
| implementation("io.swagger.parser.v3:swagger-parser:2.1.37") |
There was a problem hiding this comment.
Keep Rhino pinned until swagger-parser stops pulling 1.7.7.2
If the intent is to remove Rhino from the shipped classpath, this change does the opposite: swagger-parser:2.1.37 still brings swagger-parser-v2-converter -> io.swagger:swagger-compat-spec-parser:1.0.75 -> com.github.java-json-tools:json-schema-validator:2.2.14 -> json-schema-core:1.2.14 -> org.mozilla:rhino:1.7.7.2, and specmatic-core still depends on the same parser (core/build.gradle.kts:43). Removing the explicit org.mozilla:rhino:1.9.0 here therefore downgrades the resolved Rhino version back to 1.7.7.2, so the executable will still contain Rhino and any release/security checks that motivated the pin are likely to start failing again.
Useful? React with 👍 / 👎.
Summary
|
This was upgraded to work around some vulnerability issues that do not exist as of today.