spring-cloud-stream-binder-rabbit comes with deprecated httpclient #3169
Description
The module spring-cloud-stream-binder-rabbit comes with a deprecated httpclient;
<dependency>
<!-- TODO: upgrade to httpclient 5 -->
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.5.14</version>
</dependency>This dependency comes with a vulnerability: CVE-2020-13956
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Since it is already marked as a TODO, and this dependency is several years old, it might be time to consider upgrading it?
A side that I coudn't directly find out why this httpclient dependency was needed within spring-cloud-stream-binder-rabbit but there might be a good reason for it?