From ffeb302ca2bc3a20ad1ab14b24321fbe0f71162a Mon Sep 17 00:00:00 2001
From: Ned Twigg <ned.twigg@diffplug.com>
Date: Sun, 8 Dec 2024 08:39:30 -0800
Subject: [PATCH] Bump the OSGi dep to fix a CVE in the default one.

---
 lib-extra/build.gradle | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib-extra/build.gradle b/lib-extra/build.gradle
index d7e5a7ab2e..577954fd3a 100644
--- a/lib-extra/build.gradle
+++ b/lib-extra/build.gradle
@@ -18,6 +18,10 @@ dependencies {
 	implementation "com.googlecode.concurrent-trees:concurrent-trees:2.6.1"
 	// for eclipse
 	implementation "dev.equo.ide:solstice:${VER_SOLSTICE}"
+	// the osgi dep is included in solstice, but it has some CVE's against it.
+	// 3.18.500 is the oldest, most-compatible version with no CVE's
+	// https://central.sonatype.com/artifact/org.eclipse.platform/org.eclipse.osgi/versions
+	implementation "org.eclipse.platform:org.eclipse.osgi:3.18.500"
 
 	// testing
 	testImplementation projects.testlib