Hey People. I am using wiremock 3.13.1 as a dependency in a project, and a transistive dependency gets triggered in the OWASP Dependency Check. CVE: CVE-2025-48924 It is the commons-lang3 which is included as a shaded dependency in com/github/jknack/handlebars/4.3.1 which is included as a dependency by wiremock. The handlebars project did not have a release sinds last year and there is no new wiremock version available. Is there any fix for this?

I think we just merged a PR that addresses this in the

4.x

beta releases. Once this is released you could update to the latest beta and use that in your project. We can't update to the latest handlebar version in the

3.x

releases because we still need to support java 11. That is unless they back port the dependency update in handlebars

Check. We will supress the CVE for now, and wait for version 4.