handlebars.java icon indicating copy to clipboard operation
handlebars.java copied to clipboard
verified publisher icon jknack

removed shaded org.apache.commons.text

Open svettwer opened this issue 3 years ago • 4 comments

Follow up on https://github.com/jknack/handlebars.java/pull/1010. Removing the shaded org.apache.commons.commons-text that might trigger scanners related to CVE-2022-42889.

Discussion: https://github.com/jknack/handlebars.java/issues/1009

svettwer avatar Oct 18 '22 12:10 svettwer

In the past them caused version conflicts with other libraries. That was the reason of why I shaded it.

jknack avatar Oct 18 '22 12:10 jknack

Maybe those can be resolved with some maven dependency tree magic then. I also used shading once back in the days but the price is high. Although a cleaned and well maintained dependency tree is not easy to achieve as well. Maybe a handlebars-bom module might help to get everything together and iron out dependency graph issues more efficiently?

svettwer avatar Oct 18 '22 12:10 svettwer

As mentioned here, this is definitely something for the next major version

svettwer avatar Oct 18 '22 12:10 svettwer

@jknack it's good if we remove shaded commons text in 4.3.1 because I wonder commons text lib still got security issue in near future, then we need take time for hot fix again.

hungphamzto avatar Oct 18 '22 12:10 hungphamzto