pddl4j icon indicating copy to clipboard operation
pddl4j copied to clipboard

Published 20 hours ago verified publisher icon pellierd

Dependencies in Maven Artefact

Open thoebert opened this issue 3 years ago • 1 comments

Thank you for your work on PDDL4J!

Today I noticed that the current Maven Artefact of PDDL4J (Maven) is packed with all its compiled dependencies, for example: Log4j, JUnit, etc. This leads to several drawbacks:

  • Runtime exceptions: If one of these libraries is used within the same project, PDDL4J can not be used because of the code-duplication of the same library (with different versions). This leads to exceptions, for example a 'java.lang.NoSuchMethodError' if another version of Log4J is used in the same project.
  • Security Issues: the packed Log4J version is highly unsafe because of the critical vulnerability CVE-2021-44228 a.k.a. log2shell (CVSS severity level 10 out of 10)
  • Bulky dependency: Some of the packed dependencies, e. g. JUnit, are not necessary in the maven artefact and only increase the file size.

I think this can easily be fixed with a small change in the build/publish workflow. Thank you!

thoebert avatar Jan 27 '22 15:01 thoebert

You 're right.

We will change this in the next release which is in preparation in the devel branch.

pellierd avatar Feb 04 '22 09:02 pellierd