'Can anything be done to replace a vulnerable (or otherwise problematic) sub-dependency out of an AAR dependency

Latest version of androidx.work:work-runtime:2.7.1 (also 2.8.0-alpha01) depend on a vulnerable version of protobuf-javalite package:

work-runtime-2.7.1.aar: inspector.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml (pkg:maven/com.google.protobuf/[email protected], cpe:2.3:a:google:protobuf-java:3.10.0:*:*:*:*:*:*:*) : CVE-2021-22569

The vulnerability is 3 weeks old, and there is no indication that an update to address this is coming.

I understand that the way this dependency is packaged, there isn't a way to yank it out of there, and force-feed a newer version in its stead.

Do I have any options left here, besides recompiling the project myself for the time being?

androidaar


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Android - Fill different colors between two lines using MPAndroidChart

Use azure file share smb with android file manager

Android - Fill different colors between two lines using MPAndroidChart

Use azure file share smb with android file manager

Android - Fill different colors between two lines using MPAndroidChart

Use azure file share smb with android file manager

Android - Fill different colors between two lines using MPAndroidChart

ADB exited with exit code 1

ADB exited with exit code 1

how to create folder inside /Android/media in android 11?

how to create folder inside /Android/media in android 11?

how to create folder inside /Android/media in android 11?

Dialogflow v2 android sdk - Add QueryParameters to QueryInput

Dialogflow v2 android sdk - Add QueryParameters to QueryInput

Access high fps camera on Android