From e6ffeb60b0656f402842fcfb2cf1306e4d5816d8 Mon Sep 17 00:00:00 2001
From: Rohan Nagariya <rohan.n@browserstack.com>
Date: Fri, 12 Jun 2026 01:24:50 +0530
Subject: [PATCH] fix(security): bump commons-io 1.3.2 -> 2.18.0 [APS-19435]

- Clears CVE-2021-29425 (CWE-22 path traversal in FilenameUtils.normalize,
  affecting commons-io < 2.7). 2.18.0 is well past the patched 2.7.
- Declared-only dependency: no FilenameUtils/FileUtils/IOUtils call sites
  in src/, so the bump is statically safe (no API surface changes used).

Resolves: APS-19435

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index ac3875c..6f4f855 100644
--- a/build.gradle
+++ b/build.gradle
@@ -6,7 +6,7 @@ repositories { mavenCentral() }
 
 dependencies {
     implementation 'org.testng:testng:7.4.0'
-    implementation 'commons-io:commons-io:1.3.2'
+    implementation 'commons-io:commons-io:2.18.0'
     implementation 'org.seleniumhq.selenium:selenium-java:4.1.4'
     implementation 'com.browserstack:browserstack-local-java:1.0.6'
     implementation 'com.googlecode.json-simple:json-simple:1.1.1'