From e0ddde4c94a1b26a10c82840b766c86b7e0c4f12 Mon Sep 17 00:00:00 2001
From: Julian Peeters <julianpeeters@gmail.com>
Date: Tue, 8 Oct 2024 00:55:17 -0700
Subject: [PATCH] Bump avro version to 1.11.4

Addresses critical vulnerability CVE-2024-47561
---
 README.md                | 10 +++++-----
 build.sbt                | 13 ++++++++-----
 project/assembly.sbt     |  2 +-
 project/build.properties |  2 +-
 project/gpg.sbt          |  2 +-
 5 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 1bcc5fd5..2ca473fa 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ _Note:_ Currently [Treehugger](http://eed3si9n.com/treehugger/comments.html#Scal
 
 ##### Get the dependency with:
 
-    "com.julianpeeters" %% "avrohugger-core" % "2.8.3"
+    "com.julianpeeters" %% "avrohugger-core" % "2.8.4"
 
 
 ##### Description:
@@ -211,7 +211,7 @@ namespace rewritten. Multiple conflicting wildcards are not permitted.
 
 ##### Get the dependency with:
 
-    "com.julianpeeters" %% "avrohugger-filesorter" % "2.8.3"
+    "com.julianpeeters" %% "avrohugger-filesorter" % "2.8.4"
     
 
 ##### Description:
@@ -231,17 +231,17 @@ To ensure dependent schemas are compiled in the proper order (thus avoiding `org
 #### `avrohugger-tools`
 
 
-  Download the avrohugger-tools jar for Scala [2.12](https://search.maven.org/remotecontent?filepath=com/julianpeeters/avrohugger-tools_2.12/2.8.3/avrohugger-tools_2.12-2.8.3-assembly.jar), or Scala [2.13](https://search.maven.org/remotecontent?filepath=com/julianpeeters/avrohugger-tools_2.13/2.8.3/avrohugger-tools_2.13-2.8.3-assembly.jar) (>30MB!) and use it like the avro-tools jar `Usage: [-string] (schema|protocol|datafile) input... outputdir`:
+  Download the avrohugger-tools jar for Scala [2.12](https://search.maven.org/remotecontent?filepath=com/julianpeeters/avrohugger-tools_2.12/2.8.4/avrohugger-tools_2.12-2.8.4-assembly.jar), or Scala [2.13](https://search.maven.org/remotecontent?filepath=com/julianpeeters/avrohugger-tools_2.13/2.8.4/avrohugger-tools_2.13-2.8.4-assembly.jar) (>30MB!) and use it like the avro-tools jar `Usage: [-string] (schema|protocol|datafile) input... outputdir`:
 
 
 * `generate` generates Scala case class definitions:
 
-`java -jar /path/to/avrohugger-tools_2.12-2.8.3-assembly.jar generate schema user.avsc . `
+`java -jar /path/to/avrohugger-tools_2.12-2.8.4-assembly.jar generate schema user.avsc . `
 
 
 * `generate-specific` generates definitions that extend Avro's `SpecificRecordBase`:
 
-`java -jar /path/to/avrohugger-tools_2.12-2.8.3-assembly.jar generate-specific schema user.avsc . `
+`java -jar /path/to/avrohugger-tools_2.12-2.8.4-assembly.jar generate-specific schema user.avsc . `
 
 
 ## Warnings
diff --git a/build.sbt b/build.sbt
index 3c989e22..448146b4 100644
--- a/build.sbt
+++ b/build.sbt
@@ -1,13 +1,13 @@
-lazy val avroVersion = "1.11.3"
+lazy val avroVersion = "1.11.4"
 
 lazy val commonSettings = Seq(
   organization := "com.julianpeeters",
-  version := "2.8.3",
+  version := "2.8.4",
   ThisBuild / versionScheme := Some("semver-spec"),
   scalacOptions ++= Seq("-unchecked", "-deprecation", "-feature"),
   Test / scalacOptions ++= Seq("-Yrangepos"),
-  scalaVersion := "3.3.1",
-  crossScalaVersions := Seq("2.12.18", "2.13.12", scalaVersion.value),
+  scalaVersion := "3.3.4",
+  crossScalaVersions := Seq("2.12.20", "2.13.15", scalaVersion.value),
   libraryDependencies += "org.apache.avro" % "avro" % avroVersion,
   libraryDependencies += "org.apache.avro" % "avro-compiler" % avroVersion,
   libraryDependencies := { CrossVersion.partialVersion(scalaVersion.value) match {
@@ -73,7 +73,10 @@ lazy val `avrohugger-filesorter` = (project in file("avrohugger-filesorter"))
 lazy val `avrohugger-tools` = (project in file("avrohugger-tools"))
   .settings(
     commonSettings,
-    libraryDependencies += "org.apache.avro" % "avro-tools" % avroVersion exclude("org.slf4j", "*"),
+    libraryDependencies += "org.apache.avro" % "avro-tools" % avroVersion
+      exclude("org.slf4j", "*")
+      exclude ("org.apache.avro", "trevni-avro")
+      exclude ("org.apache.avro", "trevni-core"),
     Compile / assembly / artifact := {
       val art: Artifact = (Compile / assembly / artifact).value
       art.withClassifier(Some("assembly"))
diff --git a/project/assembly.sbt b/project/assembly.sbt
index d83c8830..11fa359e 100644
--- a/project/assembly.sbt
+++ b/project/assembly.sbt
@@ -1 +1 @@
-addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "2.1.5")
+addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "2.3.0")
diff --git a/project/build.properties b/project/build.properties
index 8cf07b7c..3829f19f 100644
--- a/project/build.properties
+++ b/project/build.properties
@@ -1 +1 @@
-sbt.version=1.9.8
\ No newline at end of file
+sbt.version=1.10.2
\ No newline at end of file
diff --git a/project/gpg.sbt b/project/gpg.sbt
index 29e1b63d..e1a7f315 100644
--- a/project/gpg.sbt
+++ b/project/gpg.sbt
@@ -1 +1 @@
-addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.2.1")
\ No newline at end of file
+addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.3.0")
\ No newline at end of file