au.com.dius.pact.provider:junit5 4.6.18 has dependency on vulnerable Apache Tika version

[DanCorderIPV]

Apache Tika versions >= 1.13, < 3.2.2 contain a PDF processing vulnerability. I guess it's unlikely that this functionality is used by the pact framework, but it makes security scanners very upset, and the actual fix is in tika-core.

CVE-2025-66516
CVE-2025-54988

Would it be possible to switch to v3.2.2 or higher of Tika?

Worth noting that we have tried forcing the existing pact framework to use v3.2.3 and it results in some pact request bodies being incorrectly Base64 encoded, so it probably isn't a completely trivial update.

[rholshausen]

Upgrading Tika above 2.9.4 will require code changes.

[DanCorderIPV]

Thanks for the reply, does that just mean that it will take longer to fix? Are you able to give an estimate of when it might get fixed?

[rholshausen]

The changes required are unknown at this point. There is no planned maintenance for Pact-JVM at the moment, not until at least early next year.

If someone is able to make the changes and provide a PR, we can get that merged (assuming the build is green), and a new version released.

[csbiggar]

I've had a go at this upgrade - Pull request: #1887 - there's an outstanding question around one of tika-core's breaking changes

Return media type "text/javascript" instead of "application/javascript"
to follow RFC-9239. (TIKA-4119).

I changed pact to honour this rather than keep it as backward compatible, I'm not sure if that was the right thing to do? I think it could be kept backward compatible by extending custom-mimtypes.xml instead with

  <mime-type type="application/json">
    <sub-class-of type="application/javascript"/>
  </mime-type>

(It's my first PR attempt here so please be kind :) )

[rholshausen]

4.6.19 is released