Holodeck-B2B icon indicating copy to clipboard operation
Holodeck-B2B copied to clipboard

Published 20 hours ago verified publisher icon holodeck-b2b

Distribution Package appears to provide two competing versions of ehcache

Open jf-kisters opened this issue 11 months ago • 2 comments

Holodeckb2b-distribution-6.1.0.zip contains two files

  • ehcache-2.10.5.jar
  • ehcache-3.10.8.jar

I am quite certain that the 2.10.5 is outdated and can be safely removed.

jf-kisters avatar Mar 14 '24 13:03 jf-kisters

The packages naming is different for these version, so the new version cannot not directly replace the old one if dependend code uses the old names. The 2.10.5 version is included as it is a dependency of the WS-Security library. But since Holodeck B2B does not use the functionality from the security library that includes caching I indeed believe it could be removed. In the upcoming version of HB2B upgrades to a newer version of the WS-Security library and this issue is resolved.

sfieten avatar Aug 01 '24 13:08 sfieten

yeah we tested by removing the library and also did a scan for imports which (afaik) came back negative. We are already operating an installation where we manually deleted that file (due to a CVE being present in 2.10.5)

jf-kisters avatar Aug 02 '24 08:08 jf-kisters