[Bug] nacos-client lib has a security vulnerability

[pjfanning]

Search before asking

• I had searched in the issues and found no similar issues.

Apache SkyWalking Component

OAP server (apache/skywalking)

What happened

nacos-client lib has a security vulnerability

GHSA-2g86-r6w2-wqqr

v2.0.3 or later is needed

What you expected to happen

ideally, no insecure libs should be used

How to reproduce

use a code scanner - like dependabot

Anything else

No response

Are you willing to submit PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[wu-sheng]

Welcome to submit a pull request to update with updating versions in license using skywalking-eyes tool

[kezhenxu94]

I tried to fix this in #9545 and found we are using 1.x but they fix this in 2.x. Also, they started to package all dependency by shading into their client SDK so the package becomes really large, what's more, the dependencies that are packed into the SDK also have CVE, so we have literally NO way to upgrade them.

In all, we have no way to upgrade to a version without CVE for Nacos.

Do you use nacos or only because it exists to cause CVE? If it's latter you can just remove the related jars out of your environment.

We have to consider removing nacos related things one day if it becomes unmaintainable like this.

[wu-sheng]

We have to consider removing nacos related things one day if it becomes unmaintainable like this.

I think we need to submit an issue to nacos as a warning and suggestion.
I agree that providing a uber jar is not a good practice for a library.

[wu-sheng]

I submitted one to Nacos, alibaba/nacos#9091

Let's see how they reply from official team.

[wu-sheng]

According to the official response, alibaba/nacos#9091 (comment), this is not a CVE we need to concern.