Forsøk på å løse json-smart 4: update to newest nimbus-jose-jwt since the old one has shaded json-smart of vulnerable version

kristoiv · kristoiv · commit d4d45c3a12ca · 2023-11-23T15:44:10.000+01:00
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -32,8 +32,6 @@ fun graphqlKotlin(name: String) = "com.expediagroup:graphql-kotlin-$name:6.4.0"
 dependencies {
     implementation(kotlin("stdlib-jdk8"))
 
-    // implementation("net.minidev:json-smart:2.4.9")
-
     // Http
     implementation("no.nav.hjelpemidler.http:hm-http:v0.0.4")
 
@@ -79,6 +77,12 @@ dependencies {
     val tokenSupportVersion = "3.0.0"
     // implementation("com.github.navikt.tms-ktor-token-support:token-support-authentication-installer:$tokenSupportVersion")
     implementation("com.github.navikt.tms-ktor-token-support:token-support-azure-validation:$tokenSupportVersion")
+    constraints {
+        implementation("com.nimbusds:nimbus-jose-jwt:9.37.1") {
+            because("json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion), since 9.19 has a shaded json-smart")
+        }
+    }
+
     implementation("com.github.navikt.tms-ktor-token-support:token-support-tokendings-exchange:$tokenSupportVersion")
     implementation("com.github.navikt.tms-ktor-token-support:token-support-tokenx-validation:$tokenSupportVersion")
 
