org.lz4:lz4-java:1.8.1 is available on Maven Central:
https://central.sonatype.com/artifact/org.lz4/lz4-java/versions
KSP is using this old version which is flagged for some vulnerabilities.
|
implementation("org.lz4:lz4-java:1.7.1") { isTransitive = false } |
Please upgrade to org.lz4:lz4-java:1.8.1
Side note, if you look at the pom for org.lz4:lz4-java:1.8.1
https://repo1.maven.org/maven2/org/lz4/lz4-java/1.8.1/lz4-java-1.8.1.pom
you will see:
<groupId>org.lz4</groupId>
<artifactId>lz4-java</artifactId>
<version>1.8.1</version>
<distributionManagement>
<relocation>
<groupId>at.yawk.lz4</groupId>
</relocation>
So ultimately, we should update to use at.yawk.lz4 instead, but one step at a time.
https://github.com/yawkat/lz4-java
org.lz4:lz4-java:1.8.1is available on Maven Central:https://central.sonatype.com/artifact/org.lz4/lz4-java/versions
KSP is using this old version which is flagged for some vulnerabilities.
ksp/kotlin-analysis-api/build.gradle.kts
Line 185 in cd24221
Please upgrade to
org.lz4:lz4-java:1.8.1Side note, if you look at the pom for
org.lz4:lz4-java:1.8.1https://repo1.maven.org/maven2/org/lz4/lz4-java/1.8.1/lz4-java-1.8.1.pom
you will see:
So ultimately, we should update to use
at.yawk.lz4instead, but one step at a time.https://github.com/yawkat/lz4-java