Describe the bug
spring-cloud-openfeign-core depends on commons-fileupload:1.5 which in turn depends on commons-io:2.11 which suffers from CVE-2024-47554. It would be nice to upgrade it for the next release so that end-users don’t have to force the version of commons-io.
Note that Gary D. Gregory indicated in FILEUPLOAD-357 that a release of commons-fileupload:1.6 is already planned with an upgrade commons-io, so you may want to just wait for it.
On the other hand, commons-fileupload seems to be needed only for feign-forms-spring, so maybe both should be made optional? BTW it seems that feign-forms-spring was merged into the main feign project, so it will be relocated in its next release (change of groupId and alignment on version number).
Comment From: OlgaMaciaszek
Hello, @DidierLoiseau, thanks for reporting the issue. https://github.com/OpenFeign/feign-form?tab=readme-ov-file#form-encoder is a separte project, not maintained by our team, and there is no higher version of that project that we could upgrade to. Please create an issue there and link it here so that we can track it and upgrade as soon as it's fixed in the downstream project.
Comment From: DidierLoiseau
Thansk @OlgaMaciaszek for your answer. spring-cloud-openfeign-core actually has an exclusion and an explicit dependency on commons-fileupload, so currently the dependency is maintained here.
I agree that things will be easier when they release a new version with an updated commons-io/commons-fileupload though, but you will have to deal with the relocation as well then – I just created #1102 for that.
Comment From: OlgaMaciaszek
Right @DidierLoiseau; waiting for commons-fileupload 1.6 then.
Comment From: OlgaMaciaszek
Will not be handling it directly anymore after https://github.com/spring-cloud/spring-cloud-openfeign/pull/1103 gets merged.
Comment From: jurgis-sipols
@DidierLoiseau, @OlgaMaciaszek - what's interesting is commons-fileupload team's work on the version 2.X https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt which is under a different group and artifact ID:
<groupId>org.apache.commons</groupId>
<artifactId>commons-fileupload2</artifactId>
Given the rare release cycle for 1.X https://github.com/apache/commons-fileupload/tags, I think 1.6 might not come so soon if at all.
Comment From: DidierLoiseau
@jurgis-sipols the dependency has already been upgraded in the 1.x branch (even before I created FILEUPLOAD-357, actually), so all it needs is to be released…
There is activity on both the main and 1.x branches, so it’s not like if either branch was abandoned, but maybe they still have some remaining tasks/goals for 1.6 – which I don’t find in Jira though.
Comment From: OlgaMaciaszek
Hi @jurgis-sipols, thanks for linking this. Once it's been released as a GA, we can switch to it, but we'd usually switch dependencies for different majors only on new release lines. If you stay on top of it and see a GA's been released, feel free to submit the PR with the swap to the main branch.