The dependency com.puppycrawl.tools:checkstyle:8.33 has a transitive dependency on com.google.guava:guava:29.0-jre, which has a moderate severity vulnerability.
Due to the way the dependency configurations are assembled by the plugin, it is difficult for users to upgrade to a newer version. Even if the nohttp Gradle plugin is not itself vulnerable, as more users enable Dependabot alerts for their Gradle repositories, these reports will become widespread.
This could be fixed by either updating the version of checkstyle used in the plugin, by adding a direct dependency on a patched version of guava, or by constraining the version of guava with a published dependency constraint.
The dependency
com.puppycrawl.tools:checkstyle:8.33has a transitive dependency oncom.google.guava:guava:29.0-jre, which has a moderate severity vulnerability.Due to the way the dependency configurations are assembled by the plugin, it is difficult for users to upgrade to a newer version. Even if the nohttp Gradle plugin is not itself vulnerable, as more users enable Dependabot alerts for their Gradle repositories, these reports will become widespread.
This could be fixed by either updating the version of
checkstyleused in the plugin, by adding a direct dependency on a patched version ofguava, or by constraining the version ofguavawith a published dependency constraint.