but it appears this is not enough to overwrite the dependency version.
How is that so? Please elaborate.
Is this something that requires a new gatling version?
No. This vulnerability is only server side (ClientHello parsing), not client side (Gatling’s use case).
Are there plans to fix this?
Gatling Enterprise already has the upgrade.
We’ll probably have an OSS release at the end of this month.
But dependency management should be the correct solution to forcefully upgrade a transitive dependency version. Then, it’s more of a gradle question than a Gatling and would probably be best answered on a gradle forum.
When running gradle dependencies for the project, it still shows the dependency in the old version, and the overwritten version only appears in the buildClasspath/runtimeClasspath