diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index d96c3bc386..82ce64f52c 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -38,6 +38,7 @@ jcip-annotations = "net.jcip:jcip-annotations:1.0" jakarta-annotation-api = "jakarta.annotation:jakarta.annotation-api:3.0.0" aether-api = "org.eclipse.aether:aether-api:1.1.0" plexus-resources = "org.codehaus.plexus:plexus-resources:1.3.1" +plexus-utils = "org.codehaus.plexus:plexus-utils:4.0.3" plexus-build-api = "org.sonatype.plexus:plexus-build-api:0.0.7" concurrent-trees = "com.googlecode.concurrent-trees:concurrent-trees:2.6.1" owasp-encoder = "org.owasp.encoder:encoder:1.4.0" diff --git a/plugin-maven/CHANGES.md b/plugin-maven/CHANGES.md index e8c1a23b49..cc66003859 100644 --- a/plugin-maven/CHANGES.md +++ b/plugin-maven/CHANGES.md @@ -5,6 +5,7 @@ We adhere to the [keepachangelog](https://keepachangelog.com/en/1.0.0/) format ( ## [Unreleased] ### Fixed - `` with `SET_FROM_GIT` no longer runs `git log` through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters. +- Bump transitive `plexus-utils` `4.0.2` -> `4.0.3` to address [CVE-2025-67030](https://github.com/advisories/GHSA-6fmv-xxpf-w3cw). ([#2919](https://github.com/diffplug/spotless/issues/2919)) ## [3.5.0] - 2026-05-14 ### Added diff --git a/plugin-maven/build.gradle b/plugin-maven/build.gradle index bbccdb7ba0..79d9108e80 100644 --- a/plugin-maven/build.gradle +++ b/plugin-maven/build.gradle @@ -34,6 +34,7 @@ dependencies { implementation libs.durian.io implementation libs.durian.collect implementation libs.plexus.resources + implementation libs.plexus.utils implementation libs.jgit implementation libs.plexus.build.api