Skip to content

Fix CVE-2025-67030: force plexus-utils to 4.0.3#274

Merged
merlimat merged 1 commit intooxia-db:mainfrom
merlimat:claude/objective-gould
Apr 4, 2026
Merged

Fix CVE-2025-67030: force plexus-utils to 4.0.3#274
merlimat merged 1 commit intooxia-db:mainfrom
merlimat:claude/objective-gould

Conversation

@merlimat
Copy link
Copy Markdown
Collaborator

@merlimat merlimat commented Apr 4, 2026

Summary

  • Forces org.codehaus.plexus:plexus-utils to version 4.0.3 via a buildscript resolution strategy in settings.gradle.kts
  • Addresses high-severity directory traversal vulnerability (CVE-2025-67030) in the extractFile method
  • Resolves Dependabot alert Tidy README #65

Test plan

  • Verify the project builds successfully
  • Confirm Dependabot alert Tidy README #65 is auto-closed after merge

@merlimat
Fix CVE-2025-67030: force plexus-utils to 4.0.3
f44fe9a 
Force the transitive plexus-utils dependency to 4.0.3 to address
a high-severity directory traversal vulnerability in its extractFile
method (Dependabot alert oxia-db#65).

Signed-off-by: Matteo Merli <mmerli@apache.org>
@merlimat merlimat merged commit d140d0d into oxia-db:main Apr 4, 2026
2 checks passed
@merlimat merlimat deleted the claude/objective-gould branch April 4, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattisonchao mattisonchao Awaiting requested review from mattisonchao mattisonchao is a code owner

@RobertIndie RobertIndie Awaiting requested review from RobertIndie RobertIndie is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@merlimat