Bump the OSGi dep to fix a CVE in the default one. (#2356 fixes #2166)

diffplug · Dec 8, 2024 · dbe3d97 · dbe3d97
2 parents ca1a338 + ffeb302
commit dbe3d97
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib-extra/build.gradle b/lib-extra/build.gradle
@@ -18,6 +18,10 @@ dependencies {
 	implementation "com.googlecode.concurrent-trees:concurrent-trees:2.6.1"
 	// for eclipse
 	implementation "dev.equo.ide:solstice:${VER_SOLSTICE}"
+	// the osgi dep is included in solstice, but it has some CVE's against it.
+	// 3.18.500 is the oldest, most-compatible version with no CVE's
+	// https://central.sonatype.com/artifact/org.eclipse.platform/org.eclipse.osgi/versions
+	implementation "org.eclipse.platform:org.eclipse.osgi:3.18.500"
 
 	// testing
 	testImplementation projects.testlib