Merge pull request #4371 from guardian/an/override-avro

override apache avro to 1.11.4 to avoid critical vuln
guardian · Nov 14, 2024 · 731fd33 · 731fd33
2 parents 485f8c7 + 9f58706
commit 731fd33
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/build.sbt b/build.sbt
@@ -161,7 +161,11 @@ lazy val thrall = playProject("thrall", 9002)
       "io.github.streetcontxt" %% "kcl-akka-stream" % "4.1.1",
       "org.testcontainers" % "elasticsearch" % "1.19.2" % Test,
       "com.google.protobuf" % "protobuf-java" % "3.19.6"
-    )
+    ),
+    // amazon-kinesis-client 2.4.2 brings in a critically vulnerable version of apache avro,
+    // but we cannot upgrade amazon-kinesis-client further until we move into slf4j v2.
+    // TODO when upgrading kinesis-client - can we remove this override?
+    dependencyOverrides += "org.apache.avro" % "avro" % "1.11.4"
   )
 
 lazy val usage = playProject("usage", 9009).settings(