Dependency Security Update: CVE-2025-67030 in plexus-utils

[simaysanli]

Hello,

I would like to report one problem related to high-severity Path Traversal vulnerability (CVE-2025-67030) has been identified in the plexus-utils library, which is a common dependency for Java build tools and plugins.

The recommended action is to update the plexus-utils dependency to 3.6.1 or 4.0.3 (or later).

+- com.diffplug.spotless:spotless-maven-plugin:jar:3.4.0:compile
[INFO] |  +- com.diffplug.spotless:spotless-lib:jar:4.5.0:runtime
[INFO] |  +- com.diffplug.spotless:spotless-lib-extra:jar:4.5.0:runtime
[INFO] |  |  +- com.googlecode.concurrent-trees:concurrent-trees:jar:2.6.1:runtime
[INFO] |  |  +- dev.equo.ide:solstice:jar:1.8.1:runtime
[INFO] |  |  |  +- com.diffplug.durian:durian-swt.os:jar:4.3.0:runtime
[INFO] |  |  |  \- org.tukaani:xz:jar:1.9:runtime
[INFO] |  |  \- org.eclipse.platform:org.eclipse.osgi:jar:3.24.100:runtime
[INFO] |  +- com.diffplug.durian:durian-core:jar:1.2.0:runtime
[INFO] |  +- com.diffplug.durian:durian-io:jar:1.2.0:runtime
[INFO] |  +- com.diffplug.durian:durian-collect:jar:1.2.0:runtime
[INFO] |  +- org.codehaus.plexus:plexus-resources:jar:1.3.1:runtime
[INFO] |  |  +- org.codehaus.plexus:plexus-utils:jar:4.0.2:runtime
[INFO] |  |  +- org.codehaus.plexus:plexus-xml:jar:3.0.1:runtime
[INFO] |  |  \- javax.inject:javax.inject:jar:1:runtime
[INFO] |  \- org.sonatype.plexus:plexus-build-api:jar:0.0.7:runtime

I noticed that the project currently relies on an older version of plexus-utils which is flagged for CVE-2025-67030. According to latest version of spotless 3.4.0, the plexus-utils dependency is 4.0.2 as shown above. Could you please take a look? Thank you in advance.