Dependency Handlebars 4.3.0 has vulnerability to CVE-2022-42889

[juliank8080]

The current Handlebars dependency used by Wiremock 2.34 uses the Apache.commons.text library, which contains a security vulnerability with ID CVE-2022-42889. Handlebars version 4.3.1 uses the updated version of the Apache library which mitigates this vulnerability.

Wiremock version

2.34.0

What is the issue

Inside the main build.gradle file there is a dependency on Handlebars version 4.3.0. This version uses a vulnerable version of the Apache.commons.text library. Handlebars has a newer version available which uses a non-vulnerable version of the Apache library (issue: jknack/handlebars.java#1009).

What would I like to see

I would like to see the handlebars dependency used by Wiremock updated to version 4.3.1

[lucasvc]

I think this is duplicated by #1990.

[pcgeng]

@lucasvc will you team update the handlebars to 4.3.1 in the next version (2.35.0?) of wiremock?

[lucasvc]

I am not part of the team, I just made the PR to fix the issue #1995.
As you see it is merged and also will be created new wiremock version.

[Yury-Fridlyand]

Apache Commons FileUpload =< 1.4 has this vulnerability. If was fixed in 1.5. link.
It is recommended to update commons-fileupload component to version 1.5.