Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update rhino dependency #104

Open
wtrocki opened this issue Aug 29, 2023 · 4 comments
Open

Update rhino dependency #104

wtrocki opened this issue Aug 29, 2023 · 4 comments

Comments

@wtrocki
Copy link

wtrocki commented Aug 29, 2023

Rhino https://mvnrepository.com/artifact/org.mozilla/rhino/1.7.14 is available and it contains a number of security patches.

See also: #27

@wtrocki wtrocki changed the title Update rhino dependency to fix Update rhino dependency Aug 29, 2023
@wtrocki
Copy link
Author

wtrocki commented Aug 29, 2023

I wanted to contribute that change but noticed that there is fixme comment:

// FIXME: update beyond 1.7.7.x once we're Java 8 or better.

Made PR to verify the changes: #105

@dkirrane
Copy link

Can this be merged?

@cykl
Copy link

cykl commented Apr 25, 2024

Any news? Rhino 1.7.7.2 is reported as vulnerable by most tools. It would be great to update to latest version.

In the meantime, should I assume it's fine to force 1.7.14 if I'm running Java 21? The comment in code seems to imply old version has been pinned for pre Java 8 compatibility.

@ken-i
Copy link

ken-i commented Aug 11, 2024

Would like to see this fix merged / deployed or can we get a new version that jumps to Rhino 1.7.14 or higher?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants