Upgrade commons-codec:commons-codec to 1.14 or higher to fix security vulnerability

[Thunderforge]

The security vulnerability tool Snyk identifies a security issue with java-genai using commons-codec:commons-codec@1.11 (which was released on Oct 17, 2017, so 8.5 years ago). From the listing:

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Snyk recommends upgrading to version 1.14 or higher. The latest version of commons-codec:commons-codec as of this writing is 1.21.0, released January 30, 2026.

[hemasekhar-p]

Hi @Thunderforge, thank you for reporting the Snyk vulnerability caused by the transitive commons-codec dependency. We will be filing this issue internally for further action. In the meantime, if you are experiencing build failures or warnings related to this vulnerability, you can explicitly add the commons-codec dependency with latest version in the dependencyManagement section in pom.xml like below. This will ensure you are using the latest version as you mentioned and avoid security alerts.

<dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>commons-codec</groupId>
        <artifactId>commons-codec</artifactId>
        <version>1.15</version>
      </dependency>
    </dependencies>
  </dependencyManagement>