Snyk Vulnerability in Pushy 0.15.4 ([email protected])

[anshumanS17]

Hi,

I’ve noticed a high-severity vulnerability reported by Snyk in Pushy 0.15.4. The issue is related to the [email protected] dependency (used in com.eatthepath:[email protected] › io.netty:[email protected] › io.netty:[email protected]).

As per the documentation, Pushy 0.15.4 is the latest version, and it depends on [email protected], which has the vulnerability.

I have a few questions:

1. Is there a new version of Pushy planned that fixes this vulnerability?

2. Or, can I exclude [email protected] and try using a newer version of netty-handler that doesn't have the vulnerability? Would this be compatible with Pushy 0.15.4?

I’d appreciate your help and suggestions. Looking forward to your reply. Thanks.

[jchambers]

Can you please provide a link to the specific vulnerability?

To manage expectations, most of the time, these are false alarms. It's probably true that there's a vulnerability in netty-handler-4.1.104.Final, but netty-handler includes a lot of components that Pushy simply doesn't use. Often the vulnerabilities these scanners identify are in unrelated components.

[anshumanS17]

This was the vulnerability reported
Snyk Link

[jchambers]

Thank you. That does seem somewhat relevant, though I think the risk is very low because Pushy is generally talking to trusted servers. Still, we should update.