Dependency updates

Michael Schechter's Avatar

Michael Schechter

01 Jan, 2024 09:39 PM

I am using the latest version of Moneydance. I happened to notice that the third-party libraries in use (Jackson, Commons Lang, etc.) are out of date and potentially vulerable to compromise from malicious code. Could you please let me know if there's any way these dependencies can be updated?

Dependencies in need of update include:
- Antlr - Commons-Lang3 - Commons Logging - Dropbox SDK - GSON

  1. Support Staff 1 Posted by Sean Reilly on 20 Jan, 2024 11:23 PM

    Sean Reilly's Avatar

    Hi Michael,

    I am updating most of the dependencies for the next version of moneydance. However I don't believe any of the dependencies we use expose any vulnerabilities. If you know of any specifically, please let me know and I'll investigate further.

    All the best,
    Sean

    --
    Sean Reilly
    Developer, The Infinite Kind
    https://infinitekind.com

  2. 2 Posted by Michael Schecht... on 21 Jan, 2024 03:09 AM

    Michael Schechter's Avatar

    Most of the dependency issues are age-related (activation and the Dropbox SDK are the most obvious of those). Some of these are more than 5 years out of date. It is also of concern that there are mismatches (for example, the Jackson libraries should be in sync).

    The Plaid client JAR, while only 2 years old, is 11 major versions behind. Using the latest Retrofit (great client choice, BTW) with older Okio/OkHTTP dependencies is also surprising.

    httpclient-4.5.6.jar has a medium vulnerability

    kotlin-stdlib-1.5.20.jar has a medium vulnerability

    okhttp-4.9.1.jar has a high vulnerability

    okio-2.10.0.jar has a high vulnerability

    Hope this helps!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac