Update maven core deps to 3.8.8 and remove Guava as we dont need it

clojure · Dec 28, 2023 · 6db514c · 6db514c
1 parent 11d82c6
commit 6db514c
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ Changelog
 * next
   * TDEPS-238 - deps.edn files are now validated against specs
   * TDEPS-239 - treat empty deps.edn file as {}
+  * Update some minor dep versions
 * 0.18.1374 on Dec 4, 2023
   * Revert update of Maven resolver libs - seeing resolution differences
 * 0.18.1370 on Dec 4, 2023

diff --git a/deps.edn b/deps.edn
@@ -8,10 +8,9 @@
    org.apache.maven.resolver/maven-resolver-connector-basic {:mvn/version "1.8.2"}
    org.apache.maven.resolver/maven-resolver-transport-file {:mvn/version "1.8.2"}
    org.apache.maven.resolver/maven-resolver-transport-http {:mvn/version "1.8.2"}
-   org.apache.maven/maven-resolver-provider {:mvn/version "3.8.6"}
-   org.apache.maven/maven-core {:mvn/version "3.8.6" :exclusions [commons-io/commons-io com.google.guava/guava]}
-     commons-io/commons-io {:mvn/version "2.15.1"} ;; update transitive dep due to CVE-2021-29425
-     com.google.guava/guava {:mvn/version "31.1-jre"} ;; update transitive dep due to CVE-2020-8908
+   org.apache.maven/maven-resolver-provider {:mvn/version "3.8.8"}
+   org.apache.maven/maven-core {:mvn/version "3.8.8" :exclusions [com.google.guava/guava]}
+   ;  com.google.guava/guava {:mvn/version "33.0.0-jre"} ;; update transitive dep due to CVE-2020-8908
    org.clojure/data.xml {:mvn/version "0.2.0-alpha8"}
    org.clojure/tools.gitlibs {:mvn/version "2.5.197"}
    org.clojure/tools.cli {:mvn/version "1.0.219"}

diff --git a/pom.xml b/pom.xml
@@ -22,7 +22,7 @@
     <clojure.warnOnReflection>true</clojure.warnOnReflection>
     <clojure.version>1.10.3</clojure.version>
     <resolverVersion>1.8.2</resolverVersion>
-    <mavenVersion>3.8.6</mavenVersion>
+    <mavenVersion>3.8.8</mavenVersion>
 
     <!-- default published in install deps.edn -->
     <clojure.default>1.10.3</clojure.default>
@@ -78,27 +78,13 @@
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-core</artifactId>
       <version>${mavenVersion}</version>
-           <exclusions>
-        <exclusion> <!-- CVE-2021-29425 -->
-          <groupId>commons-io</groupId>
-          <artifactId>commons-io</artifactId>
-        </exclusion>
+      <exclusions>
         <exclusion> <!-- CVE-2020-8908 -->
           <groupId>com.google.guava</groupId>
           <artifactId>guava</artifactId>
         </exclusion>
       </exclusions>
     </dependency>
-    <dependency> <!-- overridden transitive dep -->
-      <groupId>commons-io</groupId>
-      <artifactId>commons-io</artifactId>
-      <version>2.15.1</version>
-    </dependency>
-    <dependency> <!-- overridden transitive dep -->
-      <groupId>com.google.guava</groupId>
-      <artifactId>guava</artifactId>
-      <version>31.1-android</version>
-    </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-nop</artifactId>