From f44fe9a664706d1c6abd85f15a6602e86b99a713 Mon Sep 17 00:00:00 2001
From: Matteo Merli <mmerli@apache.org>
Date: Sat, 4 Apr 2026 12:34:47 -0700
Subject: [PATCH] Fix CVE-2025-67030: force plexus-utils to 4.0.3

Force the transitive plexus-utils dependency to 4.0.3 to address
a high-severity directory traversal vulnerability in its extractFile
method (Dependabot alert #65).

Signed-off-by: Matteo Merli <mmerli@apache.org>
---
 settings.gradle.kts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/settings.gradle.kts b/settings.gradle.kts
index 67ca9e9b..cf601957 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -18,6 +18,15 @@ plugins {
     id("org.gradle.toolchains.foojay-resolver-convention") version "1.0.0"
 }
 
+// Force plexus-utils to patched version to fix CVE-2025-67030 (directory traversal)
+buildscript {
+    configurations.configureEach {
+        resolutionStrategy {
+            force("org.codehaus.plexus:plexus-utils:4.0.3")
+        }
+    }
+}
+
 rootProject.name = "oxia-java"
 
 include("client-api")