Can xerces and xalan dependencies be marked optional in pom.xml?

[elharo]

[davidmichaelkarr]

A good reason to ask this would be because Xalan has known security issues, and it's unfortunately pointless to tell security analysts that you don't actually use any of the xslt features in xom. If I can prevent xalan from appearing in the dependency tree, that would avoid that experience. I would also wonder whether I can simply exclude it entirely, instead of making it optional.

[elharo]

You have complete control of what dependencies do and don't appear in the classpath. XOM does not. If you want to remove Xalan from your classpath, by all means do so. No change to XOM is required to enable this.

[elharo]

Taking Xerces out of the classpath causes a number of tests to fail:

[junit] Test nu.xom.tests.BuilderTest FAILED
[junit] Test nu.xom.tests.DocTypeTest FAILED
[junit] Test nu.xom.tests.NodeFactoryTest FAILED
[junit] Test nu.xom.tests.SAXConverterTest FAILED
[junit] Test nu.xom.tests.SerializerTest FAILED
[junit] Test nu.xom.tests.XSLTransformTest FAILED

Most seriously XML 1.1 is allowed.

To fix this XML1_0Parser would have to be rewritten to use the internal JDK xerces instead of Apache Xerces. However, that would cause problems in more recent JDKs that try to block access to internal com.sun packages. See https://cr.openjdk.org/~mr/jigsaw/jdk8-packages-denied-by-default

[elharo]

I've decided not to mark Xerces optional. Doing so significantly degrades XOM's performance. The JDK bundled is not an adequate replacement. It can still be excluded from the classpath by anyone who cares about this.

Xalan is no longer a dependency as of 1.3.9.