Latest release depends on vulnerable version of commons-compress

[ronshemerws]

Hi,

The latest release available (4.2.5) depends on commons-compress 1.20 which now has these published vulnerabilities:
CVE-2021-35517
CVE-2021-35516
CVE-2021-35515
CVE-2021-36090

The version of this dependency in the master branch (1.21) is not affected by these vulnerabilities.

Is there a release expected soon?

[plamentotev]

I can do a release. Looks like plexis-io now depends on Java 8, but some Maven plugins like the jar plugin still depend on Java 7 so the most sensible thing seems to be to release plexus-archiver without releasing plexus-io. Any objections?

[michael-o]

I can do a release. Looks like plexis-io now depends on Java 8, but some Maven plugins like the jar plugin still depend on Java 7 so the most sensible thing seems to be to release plexus-archiver without releasing plexus-io. Any objections?

Sounds reasonable...

[olamy]

Sounds a reasonable reason to upgrade the jar plugin to java 8 as most of other plugins.
see apache/maven-jar-plugin#29 and https://issues.apache.org/jira/browse/MJAR-280

[plamentotev]

I've made a release without updating plexus-io so it is easier to upgrade vulnerable plugins. I'll release plexus-io and bump the Java version for Plexus Archiver to 8.