ClojureScript has a transitive dependency with a known vulnerability (CVE-2015-5237)

Description

Logged from https://ask.clojure.org/index.php/9065/clojurescript-transitive-dependency-known-vulnerability:

ClojureScript depends on a dated version of com.google.javascript/closure-compiler-unshaded (v20180805), which depends on a version of com.google.protobuf/protobuf-java (3.0.2) with known a vulnerability (CVE-2015-5237).

Environment

None

Activity

Show:
David Nolen
March 29, 2020, 8:02 PM

Assignee

David Nolen

Reporter

Alex Miller

Labels

None

Approval

None

Patch

None

Affects versions

Priority

Critical
Configure