esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

ESAPI excludes transitive dependency xalan from xom, but does not include it itself

Open in-fke opened this issue 1 year ago • 2 comments

Describe the bug ESAPI excludes transitive dependency xalan from xom, but does not include it itself see https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73 it states

excluded because we directly import newer versions

Specify what ESAPI version(s) you are experiencing this bug in 2.5.2.0

To Reproduce run mvn dependency:tree

Expected behavior Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)

in-fke avatar Aug 14 '23 14:08 in-fke

IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan.

We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks.

kwwall avatar Aug 14 '23 15:08 kwwall

Ok, great, that's even better!

in-fke avatar Aug 14 '23 16:08 in-fke