-
-
Notifications
You must be signed in to change notification settings - Fork 114
/
deps.edn
135 lines (111 loc) · 6.36 KB
/
deps.edn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
{:paths ["src" "resources"]
:mvn/repos
{"central" {:url "https://repo1.maven.org/maven2/"}
"clojars" {:url "https://repo.clojars.org/"}
;; Needed for com.github.kenglxn.qrgen/javase, which is a dependency of one-time.
;; See https://github.com/kenglxn/QRGen/issues/61
"jitpack" {:url "https://jitpack.io/"}}
:deps
{aero/aero {:mvn/version "1.1.6"}
buddy/buddy-core {:mvn/version "1.11.423"}
ch.qos.logback/logback-classic {:mvn/version "1.5.13"}
cheshire/cheshire {:mvn/version "5.10.1"}
clj-http/clj-http {:mvn/version "3.12.3"}
clj-stacktrace/clj-stacktrace {:mvn/version "0.2.8"}
com.cemerick/friend {:mvn/version "0.2.3"
:exclusions [ ;; not used, excluded to address CVE-2007-1652, CVE-2007-1651
org.openid4java/openid4java-nodeps
;; not used, excluded to address CVE-2012-0881, CVE-2013-4002, CVE-2009-2625
net.sourceforge.nekohtml/nekohtml]}
;; Note: there is a newer api release that uses the built-in java http client
;; instead of using jetty client, but we can't upgrade to it until
;; https://github.com/cognitect-labs/aws-api/issues/261 is addressed.
com.cognitect.aws/api {:mvn/version "0.8.692"
;; we use org.tcrawley/cognitect-http-client instead to use Jetty 11
:exclusions [com.cognitect/http-client]}
com.cognitect.aws/endpoints {:mvn/version "1.1.12.489"}
com.cognitect.aws/s3 {:mvn/version "847.2.1398.0"}
com.cognitect.aws/sqs {:mvn/version "847.2.1398.0"}
com.cognitect.aws/ssm {:mvn/version "847.2.1365.0"}
com.github.scribejava/scribejava-apis {:mvn/version "8.3.1"}
com.github.seancorfield/honeysql {:mvn/version "2.4.1078"}
com.github.seancorfield/next.jdbc {:mvn/version "1.3.925"}
com.stuartsierra/component {:mvn/version "0.3.1"}
;; Override the version brought in by aging-session to address CVE-2020-24164
;; & CVE-2024-36124
com.taoensso/nippy {:mvn/version "3.4.2"}
digest/digest {:mvn/version "1.4.10"}
duct/duct {:mvn/version "0.8.2"}
duct/hikaricp-component {:mvn/version "0.1.2"
:exclusions [org.slf4j/slf4j-nop]}
kirasystems/aging-session {:mvn/version "0.5.0"
:exclusions [org.clojure/clojurescript]}
metosin/malli {:mvn/version "0.15.0"}
one-time/one-time {:mvn/version "0.7.0"
:exclusions [ ;; not needed on java 17, addresses CWE-120
com.github.jai-imageio/jai-imageio-core
;; not used, addresses CVE-2020-11987, CVE-2019-17566
org.apache.xmlgraphics/batik-dom
org.apache.xmlgraphics/batik-svggen]}
org.apache.commons/commons-email {:mvn/version "1.5"}
org.apache.lucene/lucene-core {:mvn/version "8.11.4"}
org.apache.lucene/lucene-analyzers-common {:mvn/version "8.11.4"}
org.apache.lucene/lucene-queryparser {:mvn/version "8.11.4"}
org.apache.maven/maven-model {:mvn/version "3.8.4"}
org.apache.maven/maven-repository-metadata {:mvn/version "3.8.4"}
;; Override bouncycastle brought in by buddy-core to address CVE-2024-29857,
;; CVE-2024-30171, CVE-2024-30172
org.bouncycastle/bcpkix-jdk18on {:mvn/version "1.78"}
org.bouncycastle/bcprov-jdk18on {:mvn/version "1.78"}
org.clojure/clojure {:mvn/version "1.12.0"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha9"}
org.clojure/tools.logging {:mvn/version "1.2.4"}
org.clojure/tools.nrepl {:mvn/version "0.2.11"}
org.postgresql/postgresql {:mvn/version "42.7.2"}
;; Having this as a top-level dep instead of having it come in transitively
;; allows logging to be properly configured instead of going to stdout, and I
;; don't know why! - Toby 2024-05-05
org.slf4j/slf4j-api {:mvn/version "2.0.13"}
org.tcrawley/cognitect-http-client {:mvn/version "1.11.130"}
net.cgrand/regex {:mvn/version "1.0.1"}
raven-clj/raven-clj {:mvn/version "1.7.0"}
ring/ring-core {:mvn/version "1.12.1"}
ring/ring-defaults {:mvn/version "0.5.0"}
;; Audit clojars.ring-servlet-patch if updating this version!
ring/ring-jetty-adapter {:mvn/version "1.13.0"}
ring-jetty-component/ring-jetty-component {:mvn/version "0.3.1"}
ring-middleware-format/ring-middleware-format {:mvn/version "0.7.5"}
valip/valip {:mvn/version "0.2.0"}}
:aliases {:defaults
;; We use override-deps to address CVEs
{:override-deps
{;; Addresses CVE-2022-42004, CVE-2022-42003, CVE-2021-46877, CVE-2020-36518
com.fasterxml.jackson.core/jackson-databind {:mvn/version "2.15.2"}
;; Addresses CVE-2019-10086, CVE-2014-0114
commons-beanutils/commons-beanutils {:mvn/version "1.9.4"}
;; Addresses CVE-2015-6420
commons-collections/commons-collections {:mvn/version "3.2.2"}
;; Addresses CVE-2015-0886
org.mindrot/jbcrypt {:mvn/version "0.4"}
;; Addresses CVE-2022-25857, CVE-2022-38749, CVE-2022-41854, CVE-2022-38751, CVE-2022-38752, CVE-2022-38750
org.yaml/snakeyaml {:mvn/version "1.33"}}}
:build {:deps {io.github.clojure/tools.build {:mvn/version "0.9.5"}}
:ns-default build}
:check {:extra-deps {athos/clj-check {:git/url "https://github.com/athos/clj-check.git"
:sha "0ca84df1357d71429243b99908303f45a934654c"}}
:main-opts ["-m" "clj-check.check"]}
:dev {:extra-deps
{clj-commons/pomegranate {:mvn/version "1.2.1"}
eftest/eftest {:mvn/version "0.5.9"}
kerodon/kerodon {:mvn/version "0.9.1"}
net.polyc0l0r/bote {:mvn/version "0.1.0"}
nubank/matcher-combinators {:mvn/version "3.8.6"}
org.clojure/tools.namespace {:mvn/version "1.2.0"}
reloaded.repl/reloaded.repl {:mvn/version "0.2.4"}
vvvvalvalval/scope-capture-nrepl {:mvn/version "0.3.1"}}
:extra-paths ["dev" "dev-resources" "test"]}
:migrate-db {:main-opts ["-m" "clojars.tools.migrate-db" "development"]}
:setup-dev-repo {:main-opts ["-m" "clojars.tools.setup-dev"]}
:test {:extra-deps
{lambdaisland/kaocha {:mvn/version "1.85.1342"}}
:main-opts ["-m" "kaocha.runner"]}}}