CVE affecting 2 library dependencies

[michelou]

Compiler version

The issue exists in both versions 3.1.1-RC2 and 3.1.2-DEV of the Scala 3 software distribution.

Affected Java library

Both Java libraries jackson-databind 2.2.x and liqp 0.6.x are affected by over 40 CVE and

1. Dependency on jackson-databind2.2.3 exists in all Scala 3 distributions since version 3.0.0.
2. Dependency on liqp0.6.7 exists in versions 3.0.x up to 3.1.1-RC2.
3. Dependency on liqp0.6.8 exists in version 3.1.2-DEV.

Final Notes

1. In January 2018 @smarter failed to update liqp as described in issue 3859 and I did not find any trace of another try.
2. In October 2021 @michelou opened discussion17799 to gain attention but without success to date.

CC @sjrd @SethTisue

[smarter]

It'd be nice to keep our dependencies up to date of course, but CVEs in our dependencies are not security concern: the input of scalac/scaladoc is your own code, not some untrusted user input, and you don't need any exploit to get arbitrary code execution, just call a macro, so patching CVEs won't make you less vulnerable to untrusted input.

[julienrf]

@michelou thank you for the report! Do you know if upgrading those dependencies would require a lot of work?