I had a look at the dependencies mojito uses and most (if not all of them) are out of date. Most importantly, spring-boot 3.1.x is no longer supported. The 3.1.5 version used isn't even the latest 3.1 version. The last available version is 3.1.12.
For the frontend, looking at the git blame of the package.json, there is not a single dependency that was updated in the last 6 years! Additionally, nodejs v8.8.1 and npm 6.11.3 are also far from cutting edge.
Thus, there is now a sizable list of vulnerabilities from the dependencies: dependency-check-report.zip (I had to zip the HTML file, since GitHub does not allow attaching HTMLs directly)
This report was generated with:
mvn org.owasp:dependency-check-maven:12.1.3:check -DnvdApiKey=XXX
In general, I would recommend setting up something like https://github.com/dependabot to help maintaining up-to-date dependencies. I am aware that this is no magic solution and manual intervention will still required (especially when there are breaking changes in dependencies). However, this might help to keep most of the smaller dependencies up-to-date.
I had a look at the dependencies mojito uses and most (if not all of them) are out of date. Most importantly, spring-boot
3.1.xis no longer supported. The3.1.5version used isn't even the latest3.1version. The last available version is3.1.12.For the frontend, looking at the git blame of the
package.json, there is not a single dependency that was updated in the last 6 years! Additionally, nodejsv8.8.1and npm6.11.3are also far from cutting edge.Thus, there is now a sizable list of vulnerabilities from the dependencies: dependency-check-report.zip (I had to zip the HTML file, since GitHub does not allow attaching HTMLs directly)
This report was generated with:
In general, I would recommend setting up something like https://github.com/dependabot to help maintaining up-to-date dependencies. I am aware that this is no magic solution and manual intervention will still required (especially when there are breaking changes in dependencies). However, this might help to keep most of the smaller dependencies up-to-date.