Used dependency AirCompressor contains vulnerabilities

[jkalq]

Current release 4.10.4 uses aircompressor version 0.27 which contains https://nvd.nist.gov/vuln/detail/CVE-2025-67721, would it be possible to remedy this ?

[slawekjaranowski]

PR is welcome

[wilx]

I took a look. I don't think there is anything we can do here with the JVM compatibility constraints that this project, I assume, has. The versions 3.x of the aircompressor require at least Java 11. The version 2.0.2 is identical to 0.27 except the version number.

TBH, I am not even sure if the 2.x and older are even affected.

[wilx]

Welp. Someone needs to convince them to release 2.x with the fix: airlift/aircompressor#308 (comment)

[jkalq]

There already appear to be pull requests fixing those vulnerabilities and some more and a request for a backport via an issue, but alas it has been three weeks without a reaction. Hoping it gets some traction soon.

backport
further backport for additional vulnerability

[slachiewicz]

yes, just after I switched lib - they made new with Java version bump. Any alternative instead of aircomporesor?

[wilx]

OK. What about making the choice of the library a user responsibility? I tried excluding the aircompressor library from the plexus-archiver but I get class not found exception. I don't need Snappy support in my application. I have not checked the code, but how hard would it be to decouple the Snappy support providing library and the usage in plexus-archiver via something like ServiceLoader?

[slawekjaranowski]

it is used

https://github.com/search?q=repo%3Acodehaus-plexus%2Fplexus-archiver%20o.airlift.compress&type=code

by snappy and tar archives, maybe can be removed usage from tar ...

[slachiewicz]

I've replaced Airlift with (existing) commons-compress in #413

[slachiewicz]

I've released 4.11.0 - please check if works correctly