kwwall
commented
10 months ago IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan.
We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks.
in-fke
Describe the bug ESAPI excludes transitive dependency xalan from xom, but does not include it itself see https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73 it states
Specify what ESAPI version(s) you are experiencing this bug in 2.5.2.0
To Reproduce run
mvn dependency:treeExpected behavior Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)