From f5039f633d436a8831d09a934a3490d68968d684 Mon Sep 17 00:00:00 2001
From: Ned Twigg <ned.twigg@diffplug.com>
Date: Fri, 15 May 2026 15:11:36 -0700
Subject: [PATCH] Bump plexus-utils to 4.0.3 to address CVE-2025-67030

plexus-resources:1.3.1 pulls in plexus-utils:4.0.2, which is vulnerable
to a high-severity path traversal (CVE-2025-67030). Declaring
plexus-utils:4.0.3 directly on the Maven plugin overrides the transitive
version both at build time and in the published POM (nearest-wins).

Fixes #2919

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 gradle/libs.versions.toml | 1 +
 plugin-maven/CHANGES.md   | 1 +
 plugin-maven/build.gradle | 1 +
 3 files changed, 3 insertions(+)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index d96c3bc386..82ce64f52c 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -38,6 +38,7 @@ jcip-annotations = "net.jcip:jcip-annotations:1.0"
 jakarta-annotation-api = "jakarta.annotation:jakarta.annotation-api:3.0.0"
 aether-api = "org.eclipse.aether:aether-api:1.1.0"
 plexus-resources = "org.codehaus.plexus:plexus-resources:1.3.1"
+plexus-utils = "org.codehaus.plexus:plexus-utils:4.0.3"
 plexus-build-api = "org.sonatype.plexus:plexus-build-api:0.0.7"
 concurrent-trees = "com.googlecode.concurrent-trees:concurrent-trees:2.6.1"
 owasp-encoder = "org.owasp.encoder:encoder:1.4.0"
diff --git a/plugin-maven/CHANGES.md b/plugin-maven/CHANGES.md
index e8c1a23b49..cc66003859 100644
--- a/plugin-maven/CHANGES.md
+++ b/plugin-maven/CHANGES.md
@@ -5,6 +5,7 @@ We adhere to the [keepachangelog](https://keepachangelog.com/en/1.0.0/) format (
 ## [Unreleased]
 ### Fixed
 - `<licenseHeader>` with `<yearMode>SET_FROM_GIT</yearMode>` no longer runs `git log` through a shell, eliminating a shell-injection vector when formatting files whose names contain shell metacharacters.
+- Bump transitive `plexus-utils` `4.0.2` -> `4.0.3` to address [CVE-2025-67030](https://github.com/advisories/GHSA-6fmv-xxpf-w3cw). ([#2919](https://github.com/diffplug/spotless/issues/2919))
 
 ## [3.5.0] - 2026-05-14
 ### Added
diff --git a/plugin-maven/build.gradle b/plugin-maven/build.gradle
index bbccdb7ba0..79d9108e80 100644
--- a/plugin-maven/build.gradle
+++ b/plugin-maven/build.gradle
@@ -34,6 +34,7 @@ dependencies {
 	implementation libs.durian.io
 	implementation libs.durian.collect
 	implementation libs.plexus.resources
+	implementation libs.plexus.utils
 	implementation libs.jgit
 	implementation libs.plexus.build.api