docusign-esign-java-client icon indicating copy to clipboard operation
docusign-esign-java-client copied to clipboard

Published 20 hours ago verified publisher icon docusign

Old/Deprecated Dependencies

Open loopforever opened this issue 3 years ago • 5 comments

Hi, my company is adopting DocuSign and I ideally intend to use the Java SDK.

However, in my first attempt to use the latest (as of writing) 3.13.1-RC1 build I see a few disconcerting issues with dependencies which I was hoping to raise here. We have concerns using deprecated and/or unmaintained dependencies for maintenance and security reasons and hope there might be an initiative to update some of these things.

  • Targets Java 9 but still depends on JodaTime which was implemented as java.time.* in JSR-310. (see: https://www.joda.org/joda-time/ ... "users are asked to migrate to java.time.*")

  • Requires javax.ws.rs.* packages whose namespace moved over 2 years ago to jakarta.ws.rs.* . Seems to make the outdated assumption that everyone is using Oracle Java EE 8.

  • org.apache.oltu.oauth2.client.HttpClient ... Apache Oltu was deprecated in 2018. (see: https://oltu.apache.org/ ... big red box: "Oltu has been retired")

  • com.migcomponents.migbase64.Base64 ... we have Base64 built into java.util.* as of Java 8 ... can that be used instead?

Thanks for your consideration!

loopforever avatar Jun 24 '21 22:06 loopforever

@loopforever thanks for the great feedback. Indeed we're due for a modernization of this library. You request captured most of the items we need to target and they will be addresses in the course of this quarter and the upcoming one.

FYI, the fix for removing Joda library is being tested out and should be released as RC by next week.

mmallis87 avatar Jul 12 '21 17:07 mmallis87

Joda dependency was removed. Thanks for the feedback!

mmallis87 avatar May 27 '22 17:05 mmallis87

org.apache.oltu.oauth2.client introduces a high-level CVE via its dependency on org.json 20140107.

Is there any plan to move away from org.apache.oltu.oauth2.client to remediate this?

realmajortom avatar Jun 13 '23 20:06 realmajortom

org.apache.oltu.oauth2.client introduces a high-level CVE via its dependency on org.json 20140107.

Is there any plan to move away from org.apache.oltu.oauth2.client to remediate this?

@realmajortom : Yes , we are actively working on this. Please expect this reported security vulnerability to be fixed in next release. Thanks

avinfinity avatar Jun 25 '24 04:06 avinfinity

Hi @loopforever ,

We have done the fix, and is currently under review internally.

Expect the same part of the upcoming SDK releases once approved.

Thanks, Vinay

vinz avatar Jul 01 '24 14:07 vinz