-
-
Notifications
You must be signed in to change notification settings - Fork 112
Expand file tree
/
Copy pathdeps.edn
More file actions
131 lines (106 loc) · 5.99 KB
/
deps.edn
File metadata and controls
131 lines (106 loc) · 5.99 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
{:paths ["src" "resources"]
:mvn/repos
{"central" {:url "https://repo1.maven.org/maven2/"}
"clojars" {:url "https://repo.clojars.org/"}
;; Needed for com.github.kenglxn.qrgen/javase, which is a dependency of one-time.
;; See https://github.com/kenglxn/QRGen/issues/61
"jitpack" {:url "https://jitpack.io/"}}
:deps
{aero/aero {:mvn/version "1.1.6"}
buddy/buddy-core {:mvn/version "1.12.0-430"}
ch.qos.logback/logback-classic {:mvn/version "1.5.25"}
cheshire/cheshire {:mvn/version "6.1.0"}
clj-http/clj-http {:mvn/version "3.13.1"}
clj-stacktrace/clj-stacktrace {:mvn/version "0.2.8"}
com.cemerick/friend {:mvn/version "0.2.3"
:exclusions [ ;; not used, excluded to address CVE-2007-1652, CVE-2007-1651
org.openid4java/openid4java-nodeps
;; not used, excluded to address CVE-2012-0881, CVE-2013-4002, CVE-2009-2625
net.sourceforge.nekohtml/nekohtml]}
com.cognitect.aws/api {:mvn/version "0.8.774"}
com.cognitect.aws/endpoints {:mvn/version "871.2.41.10"}
com.cognitect.aws/s3 {:mvn/version "871.2.40.9"}
com.cognitect.aws/sqs {:mvn/version "871.2.34.1"}
com.cognitect.aws/ssm {:mvn/version "871.2.38.3"}
com.github.scribejava/scribejava-apis {:mvn/version "8.3.3"}
com.github.seancorfield/honeysql {:mvn/version "2.7.1368"}
com.github.seancorfield/next.jdbc {:mvn/version "1.3.1086"}
;; Override the version brought in by commons-email to address CVE-2025-7962
;; Excluded form antq checking as it wants to upgrade to 2.0.2, which isn't
;; compatible with commons-email
com.sun.mail/jakarta.mail ^:antq/exclude {:mvn/version "1.6.8"}
com.stuartsierra/component {:mvn/version "1.2.0"}
;; Override the version brought in by aging-session to address CVE-2020-24164
;; & CVE-2024-36124
com.taoensso/nippy {:mvn/version "3.6.0"}
comb/comb {:mvn/version "1.0.0"}
digest/digest {:mvn/version "1.4.10"}
duct/duct {:mvn/version "0.8.2"}
duct/hikaricp-component {:mvn/version "0.1.2"
:exclusions [org.slf4j/slf4j-nop]}
;; manually imported clj-kondo configs from 2.x branch to .clj-kondo/imports/hiccup/hiccup
hiccup/hiccup {:mvn/version "1.0.5"}
kirasystems/aging-session {:mvn/version "0.5.0"
:exclusions [org.clojure/clojurescript]}
metosin/malli {:mvn/version "0.20.0"}
metosin/muuntaja {:mvn/version "0.6.11"}
metosin/muuntaja-yaml {:mvn/version "0.6.11"}
net.cgrand/regex {:mvn/version "1.1.0"}
;; This fork of http-kit supports :status-message to allow us to
;; continue to send custom status messages on deploy failure.
;; See https://github.com/clojars/http-kit
net.clojars.internal/http-kit {:mvn/version "2.9.0-beta3-clojars-03"}
one-time/one-time {:mvn/version "0.8.0"
:exclusions [ ;; not needed on java 17, addresses CWE-120
com.github.jai-imageio/jai-imageio-core
;; not used, addresses CVE-2020-11987, CVE-2019-17566
org.apache.xmlgraphics/batik-dom
org.apache.xmlgraphics/batik-svggen]}
org.apache.commons/commons-email {:mvn/version "1.6.0"}
org.apache.lucene/lucene-core {:mvn/version "10.3.2"}
org.apache.lucene/lucene-analysis-common {:mvn/version "10.3.2"}
org.apache.lucene/lucene-queryparser {:mvn/version "10.3.2"}
org.apache.maven/maven-model {:mvn/version "3.9.12"}
org.apache.maven/maven-repository-metadata {:mvn/version "3.9.12"}
;; Override bouncycastle brought in by buddy-core to address CVE-2025-8916
org.bouncycastle/bcpkix-jdk18on {:mvn/version "1.83"}
org.bouncycastle/bcprov-jdk18on {:mvn/version "1.83"}
org.clojure/clojure {:mvn/version "1.12.4"}
org.clojure/data.xml {:mvn/version "0.2.0-alpha10"}
org.clojure/tools.logging {:mvn/version "1.3.1"}
org.clojure/tools.nrepl {:mvn/version "0.2.13"}
org.postgresql/postgresql {:mvn/version "42.7.9"}
raven-clj/raven-clj {:mvn/version "1.7.0"}
ring/ring-core {:mvn/version "1.15.3"}
ring/ring-defaults {:mvn/version "0.7.0"}
valip/valip {:mvn/version "0.2.0"}
;; # Address CVEs
;; Addresses CVE-2022-42004, CVE-2022-42003, CVE-2021-46877, CVE-2020-36518
com.fasterxml.jackson.core/jackson-databind {:mvn/version "2.21.0"}
;; Addresses CVE-2019-10086, CVE-2014-0114, CVE-2025-48734
commons-beanutils/commons-beanutils {:mvn/version "1.11.0"}
;; Addresses CVE-2015-6420
;; Excluded form antq checking as it wants to upgrade to 20040616, which is actually a downgrade
commons-collections/commons-collections ^:antq/exclude {:mvn/version "3.2.2"}
;; Addresses CVE-2015-0886
org.mindrot/jbcrypt {:mvn/version "0.4"}}
:aliases {:build {:deps {io.github.clojure/tools.build {:mvn/version "0.10.12"}}
:ns-default build}
:check {:extra-deps {athos/clj-check {:git/url "https://github.com/athos/clj-check.git"
:sha "d997df866b2a04b7ce7b17533093ee0a2e2cb729"}}
:main-opts ["-m" "clj-check.check"]}
:dev {:extra-deps
{clj-commons/pomegranate {:mvn/version "1.2.25"}
;; manually imported clj-kondo to .clj-kondo/imports/kerodon/kerodon
kerodon/kerodon {:mvn/version "0.9.1"}
net.polyc0l0r/bote {:mvn/version "0.1.0"}
nubank/matcher-combinators {:mvn/version "3.9.2"}
org.clojure/tools.namespace {:mvn/version "1.5.1"}
reloaded.repl/reloaded.repl {:mvn/version "0.2.4"}
vvvvalvalval/scope-capture-nrepl {:mvn/version "0.3.1"}}
:extra-paths ["dev" "dev-resources" "test"]}
:migrate-db {:main-opts ["-m" "clojars.tools.migrate-db" "development"]}
:setup-dev-repo {:main-opts ["-m" "clojars.tools.setup-dev"]}
:test {:extra-deps
{lambdaisland/kaocha {:mvn/version "1.91.1392"}}
:main-opts ["-m" "kaocha.runner"]}}}