Dapr Low Severity Vulnerability

[rahulpoddar-fyndna]

With the new dapr version 1.14.0, we observed a low level vulnerability basis Snyk report, described below -

✗ Information Exposure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744] in org.jetbrains.kotlin:kotlin-stdlib@1.9.25

Synk recommendation
Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 2.1.0 or higher.

[WhitWaldo]

The latest stable version of Dapr is 1.15.4, not 1.14.0. Do you still see the recommendation if you're using the latest version?

[alicejgibbons]

This is a Java SDK vulnerability not a runtime one, and is a cascading dependency of okio library.

Vuln Link: https://security.snyk.io/vuln/SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744
Source: org.jetbrains.kotlin:kotlin-stdlib@1.9.25 introduced by io.dapr:dapr-sdk@1.14.0 > io.dapr:dapr-sdk-autogen@1.14.0 > com.squareup.okio:okio@3.9.1 > com.squareup.okio:okio-jvm@3.9.1 > org.jetbrains.kotlin:kotlin-stdlib@1.9.25

This issue was fixed in versions: 2.1.0 of kotlin and so the version of okio and okio-jvm needs to be bumped and confirmed that is it fixed in 3.11.0