Setter eksplistt versjonen på snappy-java og SnakeYaml pga sikkerhet

navikt · Oct 8, 2023 · 1fbff4b · 1fbff4b
1 parent 4ec13f5
commit 1fbff4b
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -16,6 +16,9 @@ val assertjVersion = "3.24.2"
 val awaitilityVersion = "4.2.0"
 val wiremockVersion = "3.2.0"
 
+val snappyJavaVersion = "1.1.10.5"
+val snakeYamlVersion = "2.2"
+
 plugins {
     kotlin("jvm") version "1.9.10"
     kotlin("plugin.spring") version "1.9.10"
@@ -65,6 +68,11 @@ dependencies {
     implementation("org.postgresql:postgresql:$postgresqlVersion")
     implementation("org.flywaydb:flyway-core:$flywayCoreVersion")
 
+    // These are transitive dependencies, but overriding them on top level due to vulnerabilities
+    // (and in some cases, the wrong version being picked)
+    implementation("org.xerial.snappy:snappy-java:$snappyJavaVersion")
+    implementation("org.yaml:snakeyaml:$snakeYamlVersion")
+
     // Test - setup
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testImplementation(kotlin("test"))