LabKey · labkey-willm · Oct 3, 2023 · Oct 2, 2023 · Oct 3, 2023 · Oct 3, 2023
diff --git a/build.gradle b/build.gradle
@@ -304,6 +304,9 @@ allprojects {
                     // Force consistency between pipeline's ActiveMQ  and cloud's jClouds dependencies
                     force "javax.annotation:javax.annotation-api:${javaxAnnotationVersion}"
 
+                    // Force snappy-java version for CVE-2023-43642. Remove once HTSJDK bumps its preferred version.
+                    force "org.xerial.snappy:snappy-java:${snappyJavaVersion}"
+
                     dependencySubstitution {
                         // Because the client api artifact name is not the same as the directory structure, we use
                         // Gradle's dependency substitution so the dependency will appear correctly in the pom files that

diff --git a/gradle.properties b/gradle.properties
@@ -279,6 +279,9 @@ slf4jLog4j12Version=2.0.7
 # this version is forced for compatibility with api, LDK, and workflow
 slf4jLog4jApiVersion=2.0.7
 
+# Force snappy-java version for CVE-2023-43642
+snappyJavaVersion=1.1.10.4
+
 springBootVersion=2.7.16
 # This MUST match the Tomcat version dictated by springBootVersion
 # Also, keep this in sync with apacheTomcatVersion above