Excluded older version of commons-io but forgot to then include later version.

kwwall · kwwall · commit 28721a02a213 · 2021-05-06T22:41:16.000-04:00
Moral: Don't do commits when you're tired.
diff --git a/pom.xml b/pom.xml
@@ -261,8 +261,14 @@
              FORCE SPECIFIC VERSIONS OF TRANSITIVE DEPENDENCIES EXCLUDED ABOVE.
              This is to force patched versions of these libraries with known CVEs against them.
         -->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <!-- Note: commons-io:2.7 and later require Java 8, so can't upgrade past 2.6 -->
+            <!-- This means still possible exposure to CVE-2021-29425. -->
+            <version>2.6</version>
+        </dependency>
 
-        <!-- No forced upgrades required currently -->
 
         <!-- SpotBugs dependencies -->
         <dependency>
