Hi Kelly, For now, can you try overriding the velocity version in your project's pom.xml? Maven will use the version you specify instead of the one Cayenne specifies as a dependency. Assuming Velocity 2.4 is largely compatible with 2.3, there shouldn't be any issues with this approach.
Thanks, mrg On Wed, Jun 25, 2025 at 6:59 AM Kelly Mercier White <kmercierwh...@axway.com> wrote: > Hi Cayenne group, > > The cayenne velocity module seems to be using a vulnerable version of > commons-io, via apache-velocity 2.3. An upgrade to 2.4.0/2.4.1 of > velocity-core-engine would resolve this. > > What would be the correct procedure to help get this updated? I've seen > another thread about this topic from a different user, and I think what was > recommended is simply to not use cayenne-velocity, but in our project we do > some SQL templating which integrates well with it. > > Thank you, > Kelly M-W > >
