Closed loopforever closed 1 month ago
mmallis87
commented
3 years ago @loopforever thanks for the great feedback. Indeed we're due for a modernization of this library. You request captured most of the items we need to target and they will be addresses in the course of this quarter and the upcoming one.
FYI, the fix for removing Joda library is being tested out and should be released as RC by next week.
mmallis87
commented
2 years ago Joda dependency was removed. Thanks for the feedback!
realmajortom
commented
1 year ago org.apache.oltu.oauth2.client introduces a high-level CVE via its dependency on org.json 20140107.
Is there any plan to move away from org.apache.oltu.oauth2.client to remediate this?
avinfinity
commented
2 months ago
org.apache.oltu.oauth2.clientintroduces a high-level CVE via its dependency on org.json 20140107.Is there any plan to move away from
org.apache.oltu.oauth2.clientto remediate this?
@realmajortom : Yes , we are actively working on this. Please expect this reported security vulnerability to be fixed in next release. Thanks
vinz
commented
2 months ago Hi @loopforever ,
We have done the fix, and is currently under review internally.
Expect the same part of the upcoming SDK releases once approved.
Thanks, Vinay
vinz
commented
1 month ago Hi @loopforever
Happy to report that the fix is now included in latest docusign-esign-java SDK:
https://central.sonatype.com/artifact/com.docusign/docusign-esign-java.
Please check and revert so that we can close this github issue.
Thanks, Vinay
vinz
commented
1 month ago Hi @loopforever ,
We hope the resolution provided has fixed the issue you were experiencing. As we haven't heard back from you, we will be closing this issue for now.
If you have any further questions or if the problem persists, please feel free to reopen this issue or create a new one. We're always here to help!
Thank you for your understanding.
Best regards, Vinay C
Hi, my company is adopting DocuSign and I ideally intend to use the Java SDK.
However, in my first attempt to use the latest (as of writing) 3.13.1-RC1 build I see a few disconcerting issues with dependencies which I was hoping to raise here. We have concerns using deprecated and/or unmaintained dependencies for maintenance and security reasons and hope there might be an initiative to update some of these things.
Targets Java 9 but still depends on JodaTime which was implemented as java.time. in JSR-310. (see: https://www.joda.org/joda-time/ ... "users are asked to migrate to java.time.")
Requires javax.ws.rs. packages whose namespace moved over 2 years ago to jakarta.ws.rs. . Seems to make the outdated assumption that everyone is using Oracle Java EE 8.
org.apache.oltu.oauth2.client.HttpClient ... Apache Oltu was deprecated in 2018. (see: https://oltu.apache.org/ ... big red box: "Oltu has been retired")
com.migcomponents.migbase64.Base64 ... we have Base64 built into java.util.* as of Java 8 ... can that be used instead?
Thanks for your consideration!