Transitive dependencies of last release (1.2.2) is flagged with CVE-2023-3635 #258
Description
The dependency tree of last release available on maven central looks like this:
.--- com.github.pemistahl:lingua:1.2.2
+--- org.jetbrains.kotlin:kotlin-stdlib:1.6.21
| +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.6.21
| \--- org.jetbrains:annotations:13.0
+--- com.squareup.moshi:moshi:1.13.0
| +--- com.squareup.okio:okio:2.10.0
| | +--- org.jetbrains.kotlin:kotlin-stdlib:1.4.20 -> 1.6.21 (*)
| | \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.4.20 -> 1.6.21
| \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.0
| +--- org.jetbrains.kotlin:kotlin-stdlib:1.6.0 -> 1.6.21 (*)
| \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.6.0
| \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.0 -> 1.6.21 (*)
+--- com.squareup.moshi:moshi-kotlin:1.13.0
| +--- com.squareup.moshi:moshi:1.13.0 (*)
| +--- org.jetbrains.kotlin:kotlin-reflect:1.6.0
| | \--- org.jetbrains.kotlin:kotlin-stdlib:1.6.0 -> 1.6.21 (*)
| \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.6.0 (*)
\--- it.unimi.dsi:fastutil:8.5.8
And com.squareup.okio:okio is marked as vulnerable CVE-2023-3635 (see GHSA-w33c-445m-f8w7)
I see that com.squareup.moshi:moshi has been updated multiple times since the release:
- 4a69da8
- Bump com.squareup.moshi:moshi from 1.14.0 to 1.15.1 #194
- Bump com.squareup.moshi:moshi from 1.15.1 to 1.15.2 #238
Is there any plans to create a new release and publish it to maven central?