Open in-fke opened 10 months ago
IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan.
We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks.
Ok, great, that's even better!
Describe the bug ESAPI excludes transitive dependency xalan from xom, but does not include it itself see https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73 it states
Specify what ESAPI version(s) you are experiencing this bug in 2.5.2.0
To Reproduce run
mvn dependency:tree
Expected behavior Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)