jackson-coreutils icon indicating copy to clipboard operation
jackson-coreutils copied to clipboard

Published 20 hours ago verified publisher icon fge

Old Dependencies and vulnerabilities

Open brunoorsolon opened this issue 1 year ago • 1 comments

I have noticed that over the years, the number of vulnerabilities due to old dependencies in this module is piling up. https://mvnrepository.com/artifact/com.github.java-json-tools/jackson-coreutils/2.0

The repository seems abandoned, but did anyone bother to try to update the dependencies or just move on and use something else?

brunoorsolon avatar Oct 16 '23 10:10 brunoorsolon

Maintenence appears to have moved to: https://github.com/java-json-tools/jackson-coreutils

I'm not sure why searching github insists on pointing only to this original repo - nor does it give links to the 31 forks that have apparently been made! 🫤

The level of voluntary maintenence is still low, and on the flip-side, keeping old dependencies does maximise compatibility. (At time of writing it looks like the lib still supports Java 7!) So I would say to just specify (minimal) versions of its few transient deps in your build logic.

lukeu avatar May 17 '24 09:05 lukeu