-
-
Notifications
You must be signed in to change notification settings - Fork 113
Expand file tree
/
Copy pathdeps.edn
More file actions
130 lines (105 loc) · 5.96 KB
/
deps.edn
File metadata and controls
130 lines (105 loc) · 5.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
{:paths ["src" "resources"]
:mvn/repos
{"central" {:url "https://repo1.maven.org/maven2/"}
"clojars" {:url "https://repo.clojars.org/"}}
:deps
{aero/aero {:mvn/version "1.1.6"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
ch.qos.logback/logback-classic {:mvn/version "1.5.25"}
cheshire/cheshire {:mvn/version "6.1.0"}
clj-http/clj-http {:mvn/version "3.13.1"}
clj-stacktrace/clj-stacktrace {:mvn/version "0.2.8"}
com.cemerick/friend {:mvn/version "0.2.3"
:exclusions [ ;; not used, excluded to address CVE-2007-1652, CVE-2007-1651
org.openid4java/openid4java-nodeps
;; not used, excluded to address CVE-2012-0881, CVE-2013-4002, CVE-2009-2625
net.sourceforge.nekohtml/nekohtml]}
com.cognitect.aws/api {:mvn/version "0.8.774"}
com.cognitect.aws/endpoints {:mvn/version "871.2.41.10"}
com.cognitect.aws/s3 {:mvn/version "871.2.40.9"}
com.cognitect.aws/sqs {:mvn/version "871.2.34.1"}
com.cognitect.aws/ssm {:mvn/version "871.2.38.3"}
com.github.scribejava/scribejava-apis {:mvn/version "8.3.3"}
com.github.seancorfield/honeysql {:mvn/version "2.7.1368"}
com.github.seancorfield/next.jdbc {:mvn/version "1.3.1086"}
;; Override the version brought in by commons-email to address CVE-2025-7962
;; Excluded form antq checking as it wants to upgrade to 2.0.2, which isn't
;; compatible with commons-email
com.sun.mail/jakarta.mail ^:antq/exclude {:mvn/version "1.6.8"}
com.stuartsierra/component {:mvn/version "1.2.0"}
;; Override the version brought in by aging-session to address CVE-2020-24164
;; & CVE-2024-36124
com.taoensso/nippy {:mvn/version "3.6.0"}
comb/comb {:mvn/version "1.0.0"}
digest/digest {:mvn/version "1.4.10"}
duct/duct {:mvn/version "0.8.2"}
duct/hikaricp-component {:mvn/version "0.1.2"
:exclusions [org.slf4j/slf4j-nop]}
;; manually imported clj-kondo configs from 2.x branch to .clj-kondo/imports/hiccup/hiccup
hiccup/hiccup {:mvn/version "1.0.5"}
kirasystems/aging-session {:mvn/version "0.5.0"
:exclusions [org.clojure/clojurescript]}
metosin/malli {:mvn/version "0.20.0"}
metosin/muuntaja {:mvn/version "0.6.11"}
metosin/muuntaja-yaml {:mvn/version "0.6.11"}
net.cgrand/regex {:mvn/version "1.1.0"}
;; This fork of http-kit supports :status-message to allow us to
;; continue to send custom status messages on deploy failure.
;; See https://github.com/clojars/http-kit
net.clojars.internal/http-kit {:mvn/version "2.9.0-beta3-clojars-03"}
;; This fork is so we can have a version of one-time that uses
;; https://github.com/nayuki/QR-Code-generator instead of
;; https://github.com/kenglxn/QRGen, as the latter is deployed to jitpack.io,
;; requiring an additional repo, and has vulnerable dependencies. It can't be
;; a git dep, as it uses a lein project.clj instead of deps.edn. We can remove
;; this and go back to the canonical release once 0.9.0 is released
;; officially (see https://github.com/suvash/one-time/issues/27)
net.clojars.internal/one-time {:mvn/version "0.9.0-clojars-02"}
org.apache.commons/commons-email {:mvn/version "1.6.0"}
org.apache.lucene/lucene-core {:mvn/version "10.3.2"}
org.apache.lucene/lucene-analysis-common {:mvn/version "10.3.2"}
org.apache.lucene/lucene-queryparser {:mvn/version "10.3.2"}
org.apache.maven/maven-model {:mvn/version "3.9.12"}
org.apache.maven/maven-repository-metadata {:mvn/version "3.9.12"}
;; Override bouncycastle brought in by buddy-core to address CVE-2025-8916
org.bouncycastle/bcpkix-jdk18on {:mvn/version "1.83"}
org.bouncycastle/bcprov-jdk18on {:mvn/version "1.83"}
org.clojure/clojure {:mvn/version "1.12.4"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha10"}
org.clojure/tools.logging {:mvn/version "1.3.1"}
org.clojure/tools.nrepl {:mvn/version "0.2.13"}
org.postgresql/postgresql {:mvn/version "42.7.9"}
raven-clj/raven-clj {:mvn/version "1.7.0"}
ring/ring-core {:mvn/version "1.15.3"}
ring/ring-defaults {:mvn/version "0.7.0"}
valip/valip {:mvn/version "0.2.0"}
;; # Address CVEs
;; Addresses CVE-2022-42004, CVE-2022-42003, CVE-2021-46877, CVE-2020-36518
com.fasterxml.jackson.core/jackson-databind {:mvn/version "2.21.0"}
;; Addresses CVE-2019-10086, CVE-2014-0114, CVE-2025-48734
commons-beanutils/commons-beanutils {:mvn/version "1.11.0"}
;; Addresses CVE-2015-6420
;; Excluded form antq checking as it wants to upgrade to 20040616, which is actually a downgrade
commons-collections/commons-collections ^:antq/exclude {:mvn/version "3.2.2"}
;; Addresses CVE-2015-0886
org.mindrot/jbcrypt {:mvn/version "0.4"}}
:aliases {:build {:deps {io.github.clojure/tools.build {:mvn/version "0.10.12"}}
:ns-default build}
:check {:extra-deps {athos/clj-check {:git/url "https://github.com/athos/clj-check.git"
:sha "d997df866b2a04b7ce7b17533093ee0a2e2cb729"}}
:main-opts ["-m" "clj-check.check"]}
:dev {:extra-deps
{clj-commons/pomegranate {:mvn/version "1.3.26"}
;; manually imported clj-kondo to .clj-kondo/imports/kerodon/kerodon
kerodon/kerodon {:mvn/version "0.9.1"}
net.polyc0l0r/bote {:mvn/version "0.1.0"}
nubank/matcher-combinators {:mvn/version "3.9.2"}
org.clojure/tools.namespace {:mvn/version "1.5.1"}
reloaded.repl/reloaded.repl {:mvn/version "0.2.4"}
vvvvalvalval/scope-capture-nrepl {:mvn/version "0.3.1"}}
:extra-paths ["dev" "dev-resources" "test"]}
:migrate-db {:main-opts ["-m" "clojars.tools.migrate-db" "development"]}
:setup-dev-repo {:main-opts ["-m" "clojars.tools.setup-dev"]}
:test {:extra-deps
{lambdaisland/kaocha {:mvn/version "1.91.1392"}}
:main-opts ["-m" "kaocha.runner"]}}}