[Bug]: update docker-java transitive deps
#9660
Comments
|
@eddumelendez Is there a specific timeline on these changes? I know in the snakeyaml case backwards compatibility was a concern, but security should take a priority over backwards compatibility. Testcontainers still uses a version of jackson-databind susceptible to a RCE. These are severe vulnerabilities compromise the security of the whole of testcontainers. |
|
These are shaded deps, not transitive deps, so version changes should not affect backwards compat. i.e So the only way upgrading that would break something outside of Shading has downsides, but upgrading shaded deps without breaking consumers is one of the upsides. As long as the testcontainer test pass, then upgrading these poses little risk to users of testcontainers. |
|
@yogurtearl In my organization, we're facing a block because of the mere presence of these testcontainers vulns within our SDLC, even though it's a test-only dependency with no potential presence in any release artifacts. Are you encountering similar challenges? |
Module
Core
Testcontainers version
1.20.4
Using the latest Testcontainers version?
Yes
Host OS
macOS
Host Arch
arm
Docker version
What happened?
testcontainers shades in
docker-javaand all its transitive deps.docker-javauses old versions of deps with vulns:testcontainers should force upgrade these transitive deps to the latest
commons-io,commons-compress,guavaand any other shaded dep to pick up vuln fixes.Relevant log output
Additional Information
No response
The text was updated successfully, but these errors were encountered: