Okio CVE-2023-3635

[skjolber]

Okio seems to be flagged by CVE-2023-3635 and current the proposed fix is to upgrade to >= 3.4. As far as I can see this project uses version 2.10.0.

Is the project already compatible with Okio 3.x, and/or any chance of moving to Okio 3.x in the near future?

[ejona86]

To my knowledge we are already compatible with okio 3. So if you just depend on the newer version things are expected to work. I know of regular testing using okio version 3.1.0, but it also compiles against 3.1.0. So the only possible issue would be an ABI issue, which would error loudly.

Our last last release was on the last okio 1.x release. Our 1.58 release in a month should upgrade to 2.10. We tried to upgrade further, but need to spend more time fighting our build (#10359 (comment)) due to okio's published Gradle Module Metadata.

We were sitting on okio 1.x to avoid the Kotlin dependency and because we were compatible with newer versions so we wouldn't be holding anyone else back. But yeah, that CVE was cause to move forward.

[temawi]

I think the question has been answered so I'll close the issue. Feel free to re-open if needed.