Update aws-java-sdk-s3 to remove ion-java #309
Conversation
There’s a vulnerability in ion-java, which is depended on by the current version of aws-java-sdk-s3, but removed from 1.12.638 forward. This commit updates that dependency to its newest version to remove the ion-java dependency and facilitate removal of the vulnerability from projects which depend on this one.
|
This supersedes PR 297, which is a scala steward PR updating to a slightly less new version. Maybe we should just go with the scala steward PR? |
Yes I think lets go ahead with Scala-steward PR(s), good to have upgrade anyway across the board, |
|
@Divs-B has published a preview version of this PR with release workflow run #13, based on commit c11bcb4: 5.0.4-PREVIEW.update-aws-java-sdk-s3.2024-03-06T1657.c11bcb4e Want to make another preview release?Click 'Run workflow' in the GitHub UI, specifying the update-aws-java-sdk-s3 branch, or use the GitHub CLI command: gh workflow run release.yml --ref update-aws-java-sdk-s3 Want to make a full release after this PR is merged?Click 'Run workflow' in the GitHub UI, leaving the branch as the default, or use the GitHub CLI command: gh workflow run release.yml |
There was a problem hiding this comment.
@rtyley and I have tried this out on apple-news code and it is working as expected and we are able to fix ion-java based snyk high vuln.
https://github.com/guardian/apple-news/pull/317#issuecomment-1983396589
What does this change?
There’s a vulnerability in ion-java, which is depended on by the current version of aws-java-sdk-s3, but removed from 1.12.638 forward. This change updates that dependency to its newest version to remove the ion-java dependency and facilitate removal of the vulnerability from projects which depend on this one.
How to test
To test this, I suppose I could make a snapshot release, and then run the tests of each dependent listed below with the snapshot version to make sure the tests pass. Should I?
How can we measure success?
Deployment