how to fix vulnerability issue in nested dependency?

Question

I would like to fix some vulnerability issues from javax.el 3.0.3. The problem is that javax.el is underlying dependency of crons.util. My co-worker added crons.util dependency to pom.xml, not javax.el itself. In that case, how could I fix the issue and upgrade the java.el to a higher version which does not have any vulnerabilities?

<dependency>
  <groupId>com.cronutils</groupId>
  <artifactId>cron-utils</artifactId>
  <version>9.1.6</version>
</dependency>

I found Changing the version of a transitive dependency in maven pom.xml, could I add the dependencyManagement like what is explained?

Answer 1

You gave the correct answer yourself, so why did'nt you give it a try:

<dependencyManagement>
  <dependencies>
    <!-- add your reason for version adjustment here -->
    <dependency>
      <groupId>example.group.id</groupId>
      <artifactId>example</artifactId>
      <version>good.version.number</version>
    </dependency>
  </dependencies>
</dependencyManagement>

This is slightly different from excluding the transitive dependency and adding a new one:

• It works more globally on all transitive usages of that library.
• When you upgrade the direct dependency and the transitive dependency is removed completely in that new version, you will not depend on it anymore. The solution with the exclusion needs you to remove the added dependency manually from your pom.xml.