Expected Behavior
It would be ideal if we could migrate to the updated fork of the library https://github.com/sparklemotion/nekohtml, which addresses the high-impact DoS vulnerability and has more potential to stay up to date should any more sec advisories be issued.
Current Behavior
spring-security-dependencies define dependency net.sourceforge.nekohtml:nekohtml:1.9.22 which is no longer being maintained (since 2014) and includes several reported vulnerabilities, that are not being looked into as per: https://security.snyk.io/package/maven/net.sourceforge.nekohtml:nekohtml
Context
As part of hardening processes, regular updates and best practices, we are trying to keep our dependencies on the supported and up-to-date versions in our products, but since net.sourceforge.nekohtml:nekohtml is included with spring-security, we cannot directly influence this and hence I have created this enhancement for consideration.
Creating this as an enhancement as the security issues do not lie directly with spring-security and are already disclosed anyway for sourceforge fork of nekohtml.
Comment From: marcusdacoregio
Hi @vfarek, this dependency was being used by the deprecated and now removed spring-security-openid module. Therefore, I'll remove that dependency entirely for the 6.x line. I don't think we want to do any dependency changes in a deprecated module for now, unless it is really needed.