upgrading velocity-engine-core to version 2.4

159 views
Skip to first unread message

Anoop Chitreddy

unread,
Oct 21, 2024, 12:21:23 AM10/21/24
to WildFly
Hi, 

We currently using wildfly-33.0.1.Final built using wildfly feature pack. Recently we received a warning from our dependency check tool indicating that velocity-engine-core-2.3.jar (shaded: commons-io:commons-io:2.8.0) is triggering a high severity CVE http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47554

We would be safe to upgrade  velocity-engine-core   to version 2.4. I am asking this question because the module file for commons-io in wildfly is marking it as  a private  dependency 
------------------------------------------------------------------------------------------------------------------------
<module name="org.apache.velocity" xmlns="urn:jboss:module:1.9">

    <properties>
        <property name="jboss.api" value="private"/>
    </properties>

    <resources>
        <resource-root path="velocity-engine-core-2.3.jar"/>
    </resources>

    <dependencies>
        <module name="java.naming"/>
        <module name="java.sql"/>
        <module name="org.apache.commons.collections"/>
        <module name="org.apache.commons.lang3"/>
        <module name="org.slf4j"/>
    </dependencies>
</module>
------------------------------------------------------------------------------------------------------------------------

 

Appreciate your help.

Anoop

Bartosz Baranowski

unread,
Oct 21, 2024, 2:23:05 AM10/21/24
to WildFly
https://issues.redhat.com/browse/AS7-3323
It just means it can be changed without notice AFAIR.
Reply all
Reply to author
Forward
0 new messages