spring-cloud-starter-contract-stub-runner defines outdated sonatype sisu-inject-plexus version with vulnerability

[juboe-kion]

Hi, it seems that the spring-cloud-starter-contract-stub-runner has a transitive dependency on plexus-utils:3.0.18. This version of plexus-utils seems to be vulnerable: https://avd.aquasec.com/nvd/2022/cve-2022-4244/

From what I can tell, this dependency comes from the following:

• org.sonatype.sisu » sisu-inject-plexus
• It depends on version: 2.6.0, which is from 2015 ⚠
• The project has seemingly instead moved to: org.eclipse.sisu » org.eclipse.sisu.plexus

spring-cloud-contract/spring-cloud-contract-starters/spring-cloud-starter-contract-stub-runner/pom.xml

Lines 80 to 83 in f320eb6

	<dependency>
	<groupId>org.sonatype.sisu</groupId>
	<artifactId>sisu-inject-plexus</artifactId>
	</dependency>

---

• Could you investigate and update the version of sisu plexus?
• Maybe it's even possible to remove the dependency on sisu-inject-plexus entirely?

Thanks in advance! 😄