asfimport

**PJ Fanning** ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c2)): I'm a member of the ASF Security committee and I'm just trying to nudge PMCs to keep their dependencies up to date. I do a...

@FSchumacher ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c3)): Fair enough.

@vlsi ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c4)): We have public class PropertiesBasedPrefixResolver extends org.apache.xml.utils.PrefixResolverDefault, so we have non-trivial usage of xalan. It does not sound like "just remove runtime-only dependency"

**PJ Fanning** ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c5)): Without xalan, it looks like XPathUtil would need to be rewritten - the 3 imports starting with https://github.com/apache/jmeter/blob/master/src/core/src/main/java/org/apache/jmeter/util/XPathUtil.java#L52 will be lost. XPathFactory in the Java...

@FSchumacher ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c6)): I tried to get rid of the xalan dependency by removing it from the usual places in the gradle files, but it seems that other libraries...

@FSchumacher ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c7)): Another problem I found, is that we guess the return of xpath expressions. The standard XPath api has no such capability. At least, I haven't found...

**PJ Fanning** ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c8)): https://docs.oracle.com/javase/9/docs/api/javax/xml/xpath/XPath.html#evaluateExpression-java.lang.String-org.xml.sax.InputSource- was only added in Java 9 but would do exactly what you need - see https://docs.oracle.com/javase/9/docs/api/javax/xml/xpath/XPathEvaluationResult.html The Saxon S9API may be able to do...

@vlsi ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c9)): I just wonder: is xalan-j really that bad? What if we just fix the CVE in question and release a newer Xalan version? Then **everybody** would...

**PJ Fanning** ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c10)): Xalan is being putting in the ASF attic. The PMC is inactive. Noone benefits from keeping a project alive when there are not enough maintainers....

**PJ Fanning** ([migrated from Bugzilla](https://bz.apache.org/bugzilla//show_bug.cgi?id=66171&redirect=false#c11)): https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8