fix: protobuf-java version for CVE-2024-7254

Signed-off-by: Todd Baert <[email protected]>
open-feature · Oct 21, 2024 · df39c35 · df39c35
1 parent 39f0c22
commit df39c35
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/providers/flagd/pom.xml b/providers/flagd/pom.xml
@@ -32,6 +32,13 @@
     </developers>
 
     <dependencies>
+        <!-- temporary to fix CVE-2024-7254 (see: https://github.com/advisories/GHSA-735f-pc8j-v9w8) - remove once this is in gRPC-java -->
+        <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>3.25.5</version>
+        </dependency>
+
         <!-- we inherent dev.openfeature.javasdk and the test dependencies from the parent pom -->
         <dependency>
             <groupId>io.grpc</groupId>