Hi Kelly, Thanks for reporting this. Opening a Jira at https://issues.apache.org/jira/projects/CAY/ would help. I'd normally also say a pull request would help, but bumping up a version is trivial, so you may skip that.
Regarding the recommendation to not use "cayenne-velocity"... Without Velocity, Cayenne still supports SQL templating, just with a minimal set of features (no loops and such). This may or may not be sufficient for your system (and we still need to upgrade), but figured I'd clarify. Thanks, Andrus > On Jun 25, 2025, at 6:59 AM, Kelly Mercier White <kmercierwh...@axway.com> > wrote: > > Hi Cayenne group, > > The cayenne velocity module seems to be using a vulnerable version of > commons-io, via apache-velocity 2.3. An upgrade to 2.4.0/2.4.1 of > velocity-core-engine would resolve this. > > What would be the correct procedure to help get this updated? I've seen > another thread about this topic from a different user, and I think what was > recommended is simply to not use cayenne-velocity, but in our project we do > some SQL templating which integrates well with it. > > Thank you, > Kelly M-W >
