From 30f4a8ce9ef661a3b19725f37af39144a7227cbd Mon Sep 17 00:00:00 2001
From: daz <daz@gradle.com>
Date: Thu, 4 Apr 2024 09:41:32 -0600
Subject: [PATCH] Update vulnerable plugin dependency using constraint

The 'com.github.ben-manes.versions' plugin' has a dependency on a vulnerable version
of 'com.squareup.okio:okio'.

Assuming there is no fixed version of the plugin available,
we avoid this vulnerability using a dependency constraint that causes
a newer version of 'okio' to be used in the buildscript classpath.
---
 build.gradle.kts          | 12 ++++++++++++
 gradle/libs.versions.toml |  1 +
 2 files changed, 13 insertions(+)

diff --git a/build.gradle.kts b/build.gradle.kts
index d6e51af..5c0c130 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -1,3 +1,15 @@
+// Constrain 'com.squareup.okio:okio' to avoid https://github.com/advisories/GHSA-w33c-445m-f8w7
+buildscript {
+    repositories {
+        gradlePluginPortal()
+    }
+    dependencies {
+        constraints {
+            classpath(libs.okio)
+        }
+    }
+}
+
 plugins {
     alias(libs.plugins.versions)
 }
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index deb307d..94d9035 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -5,6 +5,7 @@
 commons-text = { module = "org.apache.commons:commons-text", version = "1.9" }
 minio = { module = "io.minio:minio", version = "8.5.8" }
 junit-jupiter = { module = "org.junit.jupiter:junit-jupiter", version = "5.10.2" }
+okio = { module = "com.squareup.okio:okio", version = "3.4.0" }
 
 [plugins]
 versions = { id = "com.github.ben-manes.versions", version = "0.51.0" }