This came across in security.Snyk.io in my VSCode IDE but for some reason isn’t being picked up by dependabot or others as far as I can tell. Dunno. Probably low risk from what I can see.
com.thoughtworks.xstream:xstream: 1.4.19
Known security vulnerability: 2
Security advisory: 0
Exploits: unavailable
Highest severity: medium
Recommendation: 1.4.20
It’s only used in the packaging workflow so it’s indeed not very critical but I am indeed wondering if dependabot updates are not held up by some unknown issue, since some other dependencies’ updates have not generated any dependabot PR.
This particular vulnerability should be fixed by this PR: Update launch4j-maven-plugin to 2.3.2, for #5583 by wetneb · Pull Request #5668 · OpenRefine/OpenRefine · GitHub