Description
First of all, thank you for your continuous efforts in making Keycloak the leading identity solution.
While reviewing the dependency tree for keycloak-admin-client (v26.x), I noticed that it currently maintains dependencies on the following artifacts:
jackson-coreutils 2.0: https://mvnrepository.com/artifact/com.github.java-json-tools/jackson-coreutils/2.0
json-patch 1.13: https://mvnrepository.com/artifact/com.github.fge/json-patch/1.13
According to the security information provided in the repositories, these specific versions are reported to contain multiple known vulnerabilities.
Discussion
No response
Motivation
When integrating Keycloak into applications with high security requirements, these dependencies are frequently flagged due to the presence of multiple CVEs. It would be beneficial to transition to a more secure implementation.
Details
Are there any plans or a roadmap to migrate the JSON Patch/Pointer logic to a more secure implementation?
Description
First of all, thank you for your continuous efforts in making Keycloak the leading identity solution.
While reviewing the dependency tree for keycloak-admin-client (v26.x), I noticed that it currently maintains dependencies on the following artifacts:
jackson-coreutils 2.0: https://mvnrepository.com/artifact/com.github.java-json-tools/jackson-coreutils/2.0
json-patch 1.13: https://mvnrepository.com/artifact/com.github.fge/json-patch/1.13
According to the security information provided in the repositories, these specific versions are reported to contain multiple known vulnerabilities.
Discussion
No response
Motivation
When integrating Keycloak into applications with high security requirements, these dependencies are frequently flagged due to the presence of multiple CVEs. It would be beneficial to transition to a more secure implementation.
Details
Are there any plans or a roadmap to migrate the JSON Patch/Pointer logic to a more secure implementation?