Nightly dependency-CVE scan (Kraken) flagged org.apache.httpcomponents:httpclient with
GHSA-7r82-7xv7-xcpj (severity: medium; affected range < 4.5.13). No explicit version was
pinned, leaving the floor solely in transitive conflict-resolution hands.
httpclient was not listed in gradle/libs.versions.toml and no resolutionStrategy
floor was applied. Gradle’s conflict-resolution happened to select 4.5.13 (via
httpasyncclient:4.1.5 pulled by the AWS SDK), but nothing prevented a future transitive
from introducing a vulnerable sub-4.5.13 version undetected.
httpclient = "4.5.13" to [versions] in gradle/libs.versions.toml with a
comment citing GHSA-7r82-7xv7-xcpj.allprojects { configurations.configureEach { resolutionStrategy.eachDependency } }
block in build.gradle.kts that floors org.apache.httpcomponents:httpclient at 4.5.13
across all configurations, mirroring the existing gson / guava / log4j2 CVE-floor pattern.When a transitive CVE is cleared by Gradle’s existing conflict-resolution (i.e., the
resolved version already satisfies the floor), still add an explicit resolutionStrategy
floor so any future transitive regression is caught at build time, not discovered by the
next CVE scan.