Fix netty dependency to not include vulnerable 4.1.79 version jars. (o…

…pensearch-project#277) This change forces the usage of netty 4.1.86.Final. grpc-netty 1.5.1 depends on the vuln versions, we were overriding the version for some of the included netty jars but not all. Signed-off-by: Marc Handalian <handalm@amazon.com>
dzane17 · Jan 23, 2023 · b825070 · b825070
1 parent 7c52078
commit b825070
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/build.gradle b/build.gradle
@@ -335,7 +335,10 @@ dependencies {
     implementation group: 'com.google.protobuf', name: 'protobuf-java', version: '3.21.12'
     implementation 'io.grpc:grpc-netty:1.52.1'
     implementation 'io.grpc:grpc-protobuf:1.52.1'
-    implementation('io.netty:netty-transport-native-unix-common:4.1.86.Final') {
+    implementation('io.netty:netty-codec-http2:4.1.86.Final') {
+        force = 'true'
+    }
+    implementation('io.netty:netty-handler-proxy:4.1.86.Final') {
         force = 'true'
     }
     implementation 'io.grpc:grpc-stub:1.52.1'