spring-cloud-openfeign-core transitively depends on commons-io with CVE-2024-47554

[DidierLoiseau]

Describe the bug
spring-cloud-openfeign-core depends on commons-fileupload:1.5 which in turn depends on commons-io:2.11 which suffers from CVE-2024-47554. It would be nice to upgrade it for the next release so that end-users don’t have to force the version of commons-io.

Note that Gary D. Gregory indicated in FILEUPLOAD-357 that a release of commons-fileupload:1.6 is already planned with an upgrade commons-io, so you may want to just wait for it.

On the other hand, commons-fileupload seems to be needed only for feign-forms-spring, so maybe both should be made optional? BTW it seems that feign-forms-spring was merged into the main feign project, so it will be relocated in its next release (change of groupId and alignment on version number).

[OlgaMaciaszek]

Hello, @DidierLoiseau, thanks for reporting the issue. https://github.com/OpenFeign/feign-form?tab=readme-ov-file#form-encoder is a separte project, not maintained by our team, and there is no higher version of that project that we could upgrade to. Please create an issue there and link it here so that we can track it and upgrade as soon as it's fixed in the downstream project.

[DidierLoiseau]

Thansk @OlgaMaciaszek for your answer. spring-cloud-openfeign-core actually has an exclusion and an explicit dependency on commons-fileupload, so currently the dependency is maintained here.

I agree that things will be easier when they release a new version with an updated commons-io/commons-fileupload though, but you will have to deal with the relocation as well then – I just created #1102 for that.

[OlgaMaciaszek]

Right @DidierLoiseau; waiting for commons-fileupload 1.6 then.

[OlgaMaciaszek]

Will not be handling it directly anymore after #1103 gets merged.

[jurgis-sipols]

@DidierLoiseau, @OlgaMaciaszek - what's interesting is commons-fileupload team's work on the version 2.X https://dist.apache.org/repos/dist/release/commons/fileupload/RELEASE-NOTES.txt which is under a different group and artifact ID:

  <groupId>org.apache.commons</groupId>
  <artifactId>commons-fileupload2</artifactId>

Given the rare release cycle for 1.X https://github.com/apache/commons-fileupload/tags, I think 1.6 might not come so soon if at all.