fix #1102: feign-form-spring relocated under io.github.openfeign #1103
+1
−33
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed #1102 and aligns
feign-form-spring
with the rest of OpenFeign.Leaving the exclusion forcommons-io
for now since it still has vulnerabilities in versions < 2.14 (See also #1098), which is still a transitive dependency offeign-form-spring:13.5
(viacommons-fileupload:1.5
).Edit: I just realized that excluding
commons-io
but removing the direct dependency oncommons-fileupload
will not work for end users, as they actually need the former for the latter.Previously it was still there because of the explicit dependency on
commons-fileupload
(the exclusions were a bit useless, actually), and users were getting version 2.11 (with the CVE mentioned in #1098). It will still be the case. The only dependencies that actually change in this PR arefeign-form
andfeign-form-spring
(checked withdependency:list
on the starter module aftermvn install
).Note that there is also an explicit dependency on version 2.17, but only with
test
scope. You might as well make it a compile-time dependency so that users get the version with the CVE fix…