-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release 0.5.0 vulnerabilities report #276
Comments
Looks like we finally can update to Scala 2.12, which is AFAIK the last version supported by polyglot-maven/polyglot-scala/pom.xml Lines 23 to 25 in 801746a
|
Merged
cstamas
pushed a commit
that referenced
this issue
Nov 4, 2023
Due to some security vulnerabilities in Scala 2.11 compiler, I switched `polyglot-scala` to Scala 2.12, which is the last version, for which there is a release of `com.twitter:util-eval`, which we use to compile and evaluate the `pom.scala` files. Unfortunately, `util-eval` throws runtime exceptions when used as-is, which is mostly due to internal changes in the Scala compiler. Since `util-eval` doesn't work with Scala 2.12 and was even removed upstream for quite some time, I vendored the single file `Eval.scala` and applied some small refactorings to make it work. The imported file was licensed under the Apache Licence, version 2, which is identical to this project license. Due to the version bump from Scala 2.11 to 2.12, I'd consider this pull request a breaking change. The next release number for polyglot(-scala) should be therefore `0.6.0` (if we apply early semantic versioning). * Fix #276 I think it's worth investigating, whether we can follow up with a bump to Scala 2.13. I haven't tested it yet, due to some dependencies not available. But it looks like `com.googlecode.kiama` has moved to https://github.com/inkytonik/kiama, so there should be no blockers. But the `Eval` might break again due to expected compiler changes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Seems scala is flagged as vulnerable
https://ossindex.sonatype.org/component/pkg:maven/org.scala-lang/scala-compiler@2.11.12?utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
The text was updated successfully, but these errors were encountered: