lets-plot icon indicating copy to clipboard operation
lets-plot copied to clipboard

Published 20 hours ago verified publisher icon JetBrains

lets-plot-batik: META-INF/services files specify xalan

Open pjfanning opened this issue 1 year ago • 4 comments

Apologies if this is not the right place to report issues in lets-plot-batik.

The lets-plot-batik jar has META-INF/services files for javax.xml, org.apache.xml and org.apache.xalan that refer to xalan classes.

xalan has an open CVE that is not likely to be fixed and the community is mulling shutting down the project. There has only been one xalan-j release since 2008.

Would it be possible to remove these refs to xalan?

  • https://lists.apache.org/thread/s8kjny5270ssfcp46v0fl39lk98987w7
  • https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8

pjfanning avatar Jul 24 '22 16:07 pjfanning

Sure, we will take a look.

alshan avatar Jul 26 '22 22:07 alshan

However, org.apache.xmlgraphics:batik-dom:1.14 has dependency on xalan:xalan:2.7.2 artefact so, we likely will not be able to get rid of xalan entirely.

alshan avatar Jul 27 '22 00:07 alshan

https://issues.apache.org/jira/browse/BATIK-1329 is open.

Still, it would be useful if lets-plot-batik did not set the META-INF/services settings - because they affect all code that runs in a JVM. If lets-plot-batik really needs to use xalan, as opposed to the Java runtime JAXP built-ins or saxon, it could create the xalan factories explicitly.

pjfanning avatar Jul 27 '22 00:07 pjfanning

A merge has been done for https://issues.apache.org/jira/browse/BATIK-1329 - I'm not sure when a release will be done.

pjfanning avatar Aug 03 '22 17:08 pjfanning