From 88a5dd06ff86d2d001895c61ad3ff62d87d43dfa Mon Sep 17 00:00:00 2001 From: Agentic Swarm Date: Tue, 16 Jun 2026 15:31:25 +0000 Subject: [PATCH] chore(cve): force plexus-utils to 3.6.1 to address SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699 Add resolutionStrategy force for org.codehaus.plexus:plexus-utils:3.6.1 in build.gradle to remediate SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699. The CVE affects plexus-utils < 3.6.1; version 3.6.1 is a safe minor bump within the 3.x line that resolves the vulnerability. Remove the now-incorrect .snyk ignore entry which incorrectly claimed 4.0.3 was the only fix version. DevRev: ISS-277652 --- .snyk | 7 ------- build.gradle | 1 + 2 files changed, 1 insertion(+), 7 deletions(-) diff --git a/.snyk b/.snyk index b110c2cbf..fc6650297 100644 --- a/.snyk +++ b/.snyk @@ -76,13 +76,6 @@ ignore: reason: >- bc-fips forced to 2.1.2. Residual if Confluent test jars override. expires: 2026-06-30T00:00:00.000Z - SNYK-JAVA-ORGCODEHAUSPLEXUS-15766699: - - '*': - reason: >- - plexus-utils 3.5.1 is a transitive test dependency (Confluent test - jars). Fix requires 4.0.3 which is a major version bump breaking - API. Not in production runtime. - expires: 2026-06-30T00:00:00.000Z SNYK-JAVA-ORGECLIPSEJETTY-15426509: - '*': reason: >- diff --git a/build.gradle b/build.gradle index 76edcb8a2..158e02053 100644 --- a/build.gradle +++ b/build.gradle @@ -84,6 +84,7 @@ configurations.all { force("org.eclipse.jetty:jetty-client:12.0.33") force("org.eclipse.jetty:jetty-io:12.0.33") force("org.eclipse.jetty:jetty-util:12.0.33") + force("org.codehaus.plexus:plexus-utils:3.6.1") } }