Properly fix version of json-smart transitive dependency for third parties (#266)

mstruk · web-flow · commit a3a58f97db86 · 2025-04-15T09:02:27.000+02:00
Signed-off-by: Marko Strukelj &lt;marko.strukelj@gmail.com&gt;
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,6 +1,13 @@
 Release Notes
 =============
 
+0.16.2
+------
+
+### Properly override json-smart version to 2.5.2 to address CVE-2024-57699 warnings
+
+The version override in 0.16.1 was inadequate. It didn't work for third party components using the OAuth components. They would still transitively bring in `net.minidev:json-smart` version 2.5.0.
+
 0.16.1
 ------
 
diff --git a/oauth-common/pom.xml b/oauth-common/pom.xml
@@ -35,6 +35,11 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!-- Transitive override to address CVE-2024-57699. Remove in the future. -->
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.apache.kafka</groupId>
             <artifactId>kafka-clients</artifactId>
diff --git a/pom.xml b/pom.xml
@@ -290,6 +290,8 @@
                             <failOnWarning>true</failOnWarning>
                             <ignoredUnusedDeclaredDependencies>
                                 <ignoredUnusedDeclaredDependency>org.slf4j:slf4j-simple:jar</ignoredUnusedDeclaredDependency>
+                                <!-- Added due to transitive override to address CVE-2024-57699. Remove in the future. -->
+                                <ignoredUnusedDeclaredDependency>net.minidev:json-smart:jar</ignoredUnusedDeclaredDependency>
                             </ignoredUnusedDeclaredDependencies>
                         </configuration>
                     </execution>
