Closed rlsf closed 1 year ago
Yes, that's reasonable.
@cowtowncoder thanks, i saw you updated the branch here: https://github.com/FasterXML/jackson-dataformat-xml/commit/ecebf4dbc3ce70c300c066aa29cb1003b465b331 is it possible to release a patch version (2.13.5 ?) with this fix?
@rlsf Eventually yes. But it takes me half a day of "spare" time to do a full release so I won't be doing that for just a single dependency version update. But when 2.13.5 is ready (a few other fixes, been 2-4 months since 2.13.4), yes. So basically I have to prioritize my limited OSS development time here.
2.14.0 will be released within a week now.
com.fasterxml.woodstox:woodstox-core:6.3.1 is marked as vulnerable by this CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-40153 i noticed master branch already points to 6.4.0, is it possible to merge this change to 2.13 branch and release a fix for this CVE as 2.14 is still in the works.