Accessors-smart is being reported against CVE-2023-1370

[Grimoren]

It seems this CVE is being reported only against accessors-smart since the rest are updated with a new version. Is I possible to produce 2.4.10 version of this.
I am not sure why there is individual versions on the different subprojects. It seems a bit unnecessarily complicated. Should just use the same version of all the libraries in this repo.

[UrielCh]

Accessors-smart itself is not concerned by CVE-2023-1370

I can bump the project version, but the code will remain the same.

[Grimoren]

Yes. that is true. It would nice to keep the versions consistent. I typically have my version variables associated to the GitHub repos and when they vary, it's a bit annoying to have to create a new variable. In this instant I have two variables:
netplexJsonSmartV2Version = "2.4.10" // https://github.com/netplex/json-smart-v2
netplexJsonSmartV2AccessorsVersion = "2.4.9" // https://github.com/netplex/json-smart-v2 - split version for accesors

[UrielCh]

jsonSmartV2Accessors contains the same code since V2.4.0 so just hard code jsonSmart Accessors version in your maven files.

I will try pu push a new copy tomorrow.

[miralexan]

Any movement on pushing a 2.4.10 accessors-smart version? Our tooling is also complaining about the mentioned CVE.

[UrielCh]

accessors-smart 2.4.10 is released, I let you close the issue.

[rachbowyer]

accessors-smart 2.4.10 does not seem to be on the Maven repos - see https://mvnrepository.com/artifact/net.minidev/accessors-smart
Would it be possible to do an official build of this jar?

[zdenda-online]

Exactly, I see version 2.4.10 in this repository but not in maven central (yet?). Is there any ETA please?

[dtrunk90]

That's because json-smart 2.4.10 still has accessors-smart 2.4.9 as dependency. There's no accessors-smart 2.4.10. Could you please update?

[UrielCh]

V 2.4.11 just released.
the release contains all 3 sub-projects with the last 2.4.11 version number.

no more reference to any 2.4.9 version.

[Grimoren]

Confirmed 2.4.11 is released for both json-smart and smart-accessors and the cve is no longer reporting. Thanks for the update!