background
Some time ago, the log4j security vulnerability incident can be said to have set off a "bloody storm". Just recently, a project has particularly high security requirements, and a unified repair has been made to open source components with security vulnerabilities. Here is a summary, I hope it will be helpful for you to choose the component version in the future.
open source components
Commonly used open source component versions are recommended at work. It is recommended not to be lower than the recommended version, which can avoid some security holes.
| component coordinates | recommended version | Remark |
|---|---|---|
| commons-collections:commons-collections | 3.2.2 | |
| com.thoughtworks.xstream:xstream | 1.4.18 | |
| com.alibaba:dubbo | 2.6.10.1 | |
| com.alibaba:fastjson | 1.2.78 | It is best not to use jackson instead |
| log4j:log4j | 1.2.17-cloudera1 | It is best not to use logback instead |
| org.slf4j:slf4j-log4j12 | 1.7.26 | It is best not to use logback instead |
| Spring Framework | 5.3.13 | |
| Spring Boot | 2.6.0 | |
| org.codehaus.jackson:jackson-mapper-asl | 1.9.13-cloudera.1 | |
| com.fasterxml.jackson.core:jackson-databind | 2.13.0 | |
| io.vertx:vertx-XXX | 3.9.7 | |
| org.apache.shiro:shiro-web org.apache.shiro:shiro-core |
1.8.0 | |
| ch.qos.logback:logback-classic | 1.2.7 | |
| commons-fileupload:commons-fileupload | 1.3.1-jenkins-2 | |
| mysql:mysql-connector-java | 5.1.49 or 8.0.27 | |
| org.java-websocket:Java-WebSocket | 1.5.2 | |
| commons-beanutils:commons-beanutils | 1.9.4 | |
| org.apache.commons:commons-email | 1.5 | |
| org.freemarker:freemarker | 2.3.31 | |
| addressable | 2.8.0 | |
| com.google.protobuf:protobuf-java | 3.6.1.3-2+b3 | |
| com.alibaba:druid-spring-boot-starter | 1.2.8 | |
| io.netty:netty-XXX | 4.1.70 | |
| com.squareup.okhttp3:okhttp | 3.12.2 | |
| com.google.guava:guava | 31.0.1-android,30.1.1-jre | |
| commons-io:commons-io | 2.11.0 | |
| commons-httpclient:commons-httpclient | 5.2-alpha1 | |
| commons-codec:commons-codec | 1.14,1.15,1.16-SNAPSHOT | |
| org.apache.commons:commons-lang3 | 3.4 | |
| org.apache.thrift:libthrift | 0.14.0 | |
| org.apache.poi:poi-excelant | 4.1.2 | |
| org.apache.poi:poi: | 4.1.2 | |
| org.apache.kafka:kafka-clients | 1.0.1.3.0.0.18-4 | |
| com.itextpdf.tool:xmlworker | 5.5.12 | |
| org.hibernate:hibernate-validator | 6.0.20.Final | |
| org.springframework.cloud:spring-cloud-starter-openfeign | 2.2.10.RELEASE | |
| org.springframework.security:spring-security-crypto | 5.4.7 | |
| org.mybatis:mybatis | 3.5.6 | |
| jquery | 3.5.0 | |
| junit:junit | 4.13.2 | |
| org.apache.rocketmq:rocketmq | 4.6.1 | |
| codemirror | 5.58.2 | |
| org.glassfish:jakarta.el | 3.0.3.jbossorg-4 | |
| org.mongodb:mongo-java-driver | 3.11.3 |
后续将不断补充,欢迎关注”浅谈架构“公众号,不定期分享干货,欢迎点赞收藏!
