Spring Cloud Netflix com.thoughtworks.xstream:xstream update version to 1.4.21

Hi. Project uses Spring Cloud on its latest version (2024.0.0) and one of its dependencies is com.thoughtworks.xstream:xstream at version 1.4.20:

[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:4.2.0:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:4.2.0:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:4.2.0:compile
[INFO] |  |  \- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:4.2.0:compile
[INFO] |  |  \- org.apache.httpcomponents.client5:httpclient5:jar:5.4.1:compile
[INFO] |  |     +- org.apache.httpcomponents.core5:httpcore5:jar:5.3.2:compile
[INFO] |  |     \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.3.2:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:2.0.4:compile
[INFO] |  |  +- com.thoughtworks.xstream:xstream:jar:1.4.20:compile  

which has vulnerabilities:

https://security.snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924 https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.20

Any schedule to update to 1.4.21?

Thanks in advance.

Comment From: OlgaMaciaszek

Hello @trcoelho, thanks for creating the issue. We do not manage the version of this dependency, however, I have submitted a PR to Netflix/Eureka: https://github.com/Netflix/eureka/pull/1572.

Comment From: ziad-saade

Hello @OlgaMaciaszek

Seems like the issue is not resolved in release spring-cloud-starter-netflix-eureka-client:4.3.0, x-stream still 1.4.20? any targeted date to fix the matter?

Comment From: OlgaMaciaszek

Fixed.