Skip to content

fix(deps): migrate shadow plugin to com.gradleup.shadow 8.3.9 (COMP-1547)#119

Closed
cristianrcv wants to merge 1 commit into
masterfrom
fix/COMP-1547-plexus-utils-directory-traversal
Closed

fix(deps): migrate shadow plugin to com.gradleup.shadow 8.3.9 (COMP-1547)#119
cristianrcv wants to merge 1 commit into
masterfrom
fix/COMP-1547-plexus-utils-directory-traversal

Conversation

@cristianrcv

Copy link
Copy Markdown
Contributor

Summary

  • The com.github.johnrengelman.shadow 8.1.1 Gradle build plugin transitively pulls in the vulnerable org.codehaus.plexus:plexus-utils 3.5.1 (Directory Traversal in Expand.extractFile).
  • 8.1.1 is the final release under the com.github.johnrengelman.shadow coordinate, so it cannot be bumped in place.
  • Migrates to the maintained successor com.gradleup.shadow 8.3.9 (same 8.x line, API-compatible with the shadowJar usage in this repo), which ships plexus-utils 4.0.2 — at or above the patched 3.6.1.
  • Resolves CVE-2025-67030 / GHSA-6fmv-xxpf-w3cw.

Verified locally: ./gradlew shadowJar builds successfully under the project's Java 21 toolchain and produces app/build/libs/wave.jar as before.

JIRA

COMP-1547: Fix Plexus-Utils has a Directory Traversal vulnerability in its extractFile method

Security Advisory

https://github.com/seqeralabs/wave-cli/security/dependabot/15

🤖 Generated with Claude Code

…547)

The com.github.johnrengelman.shadow 8.1.1 build plugin pulls in the
vulnerable org.codehaus.plexus:plexus-utils 3.5.1 transitively. Its final
release under that coordinate is 8.1.1, so it cannot be upgraded in place.
The maintained successor com.gradleup.shadow 8.3.9 (same 8.x line,
API-compatible for the shadowJar usage here) ships plexus-utils 4.0.2,
which is >= the patched 3.6.1.

Addresses CVE-2025-67030 / GHSA-6fmv-xxpf-w3cw
See: https://github.com/seqeralabs/wave-cli/security/dependabot/15
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cristianrcv

Copy link
Copy Markdown
Contributor Author

Fixed within the scope of #120

@cristianrcv cristianrcv closed this Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant