Transitive dependency okio-jvm has security vulnerability

[james2hey]

Hello,

We have been seeing an error when installing Segment Analytics 3.5.1 to do with a dependency vulnerability - https://osv.dev/vulnerability/GHSA-w33c-445m-f8w7

I've installed the dependencies in this repo and can see that it does have a vulnerable version 3.0.0.

+- com.segment.analytics.java:analytics:jar:3.5.2-SNAPSHOT:compile
+- com.segment.analytics.java:analytics-core:jar:3.5.2-SNAPSHOT:compile
|  +- com.squareup.retrofit2:retrofit:jar:2.9.0:compile
|  +- com.google.code.gson:gson:jar:2.9.1:compile
|  \- com.google.auto.value:auto-value-annotations:jar:1.10.1:compile
+- com.squareup.okhttp3:okhttp:jar:4.10.0:compile
|  +- com.squareup.okio:okio-jvm:jar:3.0.0:compile <- This is the vulnerable version
|  |  \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.5.31:compile
|  \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.7.20:compile
|     \- org.jetbrains:annotations:jar:13.0:compile
+- com.squareup.okhttp3:logging-interceptor:jar:4.10.0:compile
|  \- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.6.10:compile
|     \- org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.6.10:compile
+- com.squareup.retrofit2:converter-gson:jar:2.9.0:compile
+- com.squareup.retrofit2:retrofit-mock:jar:2.9.0:compile
+- com.segment.backo:backo:jar:1.0.0:compile
\- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile

Could we please get this upgraded to 3.4.0 or above?

Thanks!

[shybovycha]

Seems like the vulnerability is coming from okhttp3 which is a transitive dependency: analytics-java -> retrofit -> okio -> okhttp3

I tried (square/retrofit#4313) bumping okhttp3 version in retrofit, but the response was along the lines of

we won't do it because we don't want Kotlin stdlib in our library; feel free to fork

square/retrofit#4313 (comment) -> square/retrofit#4226 (comment) -> square/retrofit#4020 (comment)