From fe65f39801d559256b0258b199a2d34e20a9ad8f Mon Sep 17 00:00:00 2001
From: Rob Rudin <rudin@progress.com>
Date: Mon, 28 Apr 2025 15:17:27 -0400
Subject: [PATCH] Removing jdom from geonames dependency

---
 marklogic-client-api/build.gradle | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/marklogic-client-api/build.gradle b/marklogic-client-api/build.gradle
index 86f27d5fb..0847e5501 100644
--- a/marklogic-client-api/build.gradle
+++ b/marklogic-client-api/build.gradle
@@ -62,7 +62,13 @@ dependencies {
 	testImplementation 'org.apache.commons:commons-lang3:3.17.0'
 	testImplementation 'org.apache.httpcomponents:httpclient:4.5.14'
 	testImplementation 'com.opencsv:opencsv:5.10'
-	testImplementation 'org.geonames:geonames:1.0'
+
+	// This is used by a single test - JacksonDatabindTest - and it does not need the jdom module for the test to pass.
+	// The jdom module has a CVE associated with it - https://nvd.nist.gov/vuln/detail/CVE-2021-33813 .
+	testImplementation ('org.geonames:geonames:1.0') {
+		exclude module: "jdom"
+	}
+
 	testImplementation 'org.skyscreamer:jsonassert:1.5.3'
 }