Skip to content

fix: resolve snyk vulnerabilities#13

Merged
stevecl5 merged 1 commit intomasterfrom
scl/update-dependencies
Feb 27, 2026
Merged

fix: resolve snyk vulnerabilities#13
stevecl5 merged 1 commit intomasterfrom
scl/update-dependencies

Conversation

@stevecl5
Copy link
Contributor

@stevecl5 stevecl5 commented Feb 27, 2026

Summary of Changes

Updated dependencies including the Coppuccino plugin. This resolves multiple vulnerabilities reported by Snyk, including:

I also removed the redundant kotlin-stdlib-jdk8 dependency (now handled natively by the Kotlin JVM plugin).

Finally, I cleaned up and modernized the Gradle configuration files, removing redundancies and deprecated syntax.

Public API Additions/Changes

N/A

Downstream Consumer Impact

N/A

How Has This Been Tested?

  • Ran ./gradlew dependencies --write-locks to confirm that the redundant kotlin-stdlib-jdk8 dependency was successfully removed and that spotbugs-annotations is natively injected into the compileOnly and testCompileOnly configurations by the upgraded Coppuccino 6.+ plugin.
  • Confirmed that Snyk vulnerabilities are resolved by running snyk test --all-projects --exclude=build.
Snyk scan results 
binks % snyk test --all-projects --exclude=build

Testing /Users/steven.leighton/dev/binks...

Tested 92 dependencies for known issues, found 4 issues, 6 vulnerable paths.


License issues:

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:org.jetbrains.intellij.deps:trove4j:LGPL-2.1] in org.jetbrains.intellij.deps:trove4j@1.0.20200330
    introduced by org.jetbrains.kotlin:kotlin-compiler-embeddable@2.1.0 > org.jetbrains.intellij.deps:trove4j@1.0.20200330 and 1 other path(s)

  ✗ MPL-2.0 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:net.sf.saxon:Saxon-HE:MPL-2.0] in net.sf.saxon:Saxon-HE@12.9
    introduced by com.github.spotbugs:spotbugs@4.9.8 > net.sf.saxon:Saxon-HE@12.9

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs-annotations:LGPL-2.1] in com.github.spotbugs:spotbugs-annotations@4.9.8
    introduced by com.github.spotbugs:spotbugs-annotations@4.9.8 and 1 other path(s)

  ✗ LGPL-2.1 license [Low Severity][https://snyk.io/vuln/snyk:lic:maven:com.github.spotbugs:spotbugs:LGPL-2.1] in com.github.spotbugs:spotbugs@4.9.8
    introduced by com.github.spotbugs:spotbugs@4.9.8



Organization:      mx
Package manager:   gradle
Target file:       build.gradle
Project name:      binks
Open source:       no
Project path:      /Users/steven.leighton/dev/binks
Licenses:          enabled

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works

@stevecl5
fix: resolve snyk vulnerabilities
f2a72cb 
build: update dependencies

build: clean up gradle configuration files
meotch
meotch approved these changes Feb 27, 2026
View reviewed changes
Copy link
Contributor

@meotch meotch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beautiful refactor and a much cleaner way to solve the CVEs in the plugins

@stevecl5 stevecl5 merged commit 8be973a into master Feb 27, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meotch meotch meotch approved these changes

@tessstoddard tessstoddard tessstoddard approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@stevecl5 @meotch @tessstoddard