RAT-532: Bump org.codehaus.plexus:plexus-utils from 3.6.0 to 4.0.3 in /apache-rat-plugin

[dependabot]

Bumps org.codehaus.plexus:plexus-utils from 3.6.0 to 4.0.3.

Release notes

Sourced from org.codehaus.plexus:plexus-utils's releases.

4.0.3

🚀 New features and improvements

• Add Automatic-Module-Name manifest entry (#314) @​gnodet
• V4 changes to make external usage easier (#278) @​Claudenw

🐛 Bug Fixes

• Fix Zip Slip vulnerability in archive extraction (#296) @copilot-swe-agent[bot]

👻 Maintenance

• Move to Site 2.0 descriptor (#305) @​slachiewicz
• JUnit Jupiter best practices & code cleanups (#302) @​slachiewicz
• Replace FileUtils.fileExists(String) with JDK provided API (#301) @​slachiewicz
• Declare license info in POM (#291) @​Goooler
• Cleanup tests (#283) @​slachiewicz

📦 Dependency updates

• Bump release-drafter/release-drafter from 6 to 7 (#313) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 24 to 25 (#309) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 23 to 24 (#297) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 22 to 23 (#292) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 21 to 22 (#289) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 20 to 21 (#288) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 19 to 20 (#284) @dependabot[bot]
• Bump org.codehaus.plexus:plexus from 18 to 19 (#274) @dependabot[bot]

4.0.2

🐛 Bug Fixes

• Specify /D for cmd.exe to bypass the Command Processor Autorun folder (#272) @​sebthom

📦 Dependency updates

• Bump org.codehaus.plexus:plexus from 17 to 18 (#271) @​dependabot
• Bump org.codehaus.plexus:plexus-xml from 3.0.0 to 3.0.1 (#270) @​dependabot

4.0.1

🚀 New features and improvements

• Add .gitignore to default excludes (#269) @​slawekjaranowski
• downgrade plexus-xml from 4 to 3: keep Maven 3 compatibility (#263) @​hboutemy

📦 Dependency updates

... (truncated)

Commits

• c86a34f [maven-release-plugin] prepare release plexus-utils-4.0.3
• aa38f66 Fix release-drafter v7 branch filtering (#322)
• 08018c8 Use filter-by-range instead of filter-by-commitish (#320)
• bcb8a13 Scope release-drafter to master branch releases (#318)
• 18fa340 Fix release-drafter v7 label validation error (#317)
• a1d6820 Fix release-drafter config for v7 (#316)
• 4ffcc20 Restore release-drafter config with correct tag template (#315)
• d250e15 Add Automatic-Module-Name manifest entry (#314)
• 96227de Delete .github/release-drafter.yml
• 0da61cd Bump release-drafter/release-drafter from 6 to 7
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[ottlinger]

@cstamas sorry to ask so directly - can this version be used with Maven 3.x or is the 4.x version somehow related to Maven4? Thanks

[cstamas]

Please stick with plexus-utils 3.x for Maven3 stuff.

[ottlinger]

@dependabot rebase

[dependabot]

The dependabot.yml entry that created this PR has been deleted so this PR can't be rebased. Please close the PR so Dependabot can create a new one with the current dependabot.yml.

[ottlinger]

Added v4.x to the ignore list as it is for Maven4 only.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

[ottlinger]

@cstamas is there a way to fix the security warning:

Package
Affected versions
Patched version
org.codehaus.plexus:plexus-utils
(Maven)
<= 4.0.2
4.0.3
Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

or is this only an 4.x issue and can safely be ignored here?

Thanks for your help

[cstamas]

codehaus-plexus/plexus-utils#296 (comment)

Most probably with 3.6.1?

[cstamas]

Seems fix is already in codehaus-plexus/plexus-utils@plexus-utils-3.6.0...plexus-utils-3.x
but release is pending