Bump commons-beanutils - Githubissues

highsource / jaxb2-basics

Useful plugins and tools for JAXB2.

BSD 2-Clause "Simplified" License

109 stars 54 forks source link

Bump commons-beanutils #161

Closed winne42 closed 8 months ago

winne42 commented 2 years ago

Hi there, we are currently using jaxb2-basics:0.13.1 Unfortunately, this has a dependency to commons-beanutils:commons-beanutils:1.9.3, which has a known security vulnerability, see https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.9.3

Is there any chance we could get a 0.13.2 relase that uses beanutils 1.9.4 instead?

laurentschoelens commented 1 year ago

Hi @winne42 : upgrade done in PR https://github.com/highsource/jaxb2-basics/pull/165

winne42 commented 1 year ago

@laurentschoelens great, thanks!

neseleznev commented 1 year ago

Hi @winne42 : upgrade done in PR #165

Thank you for this, but I suppose that https://github.com/highsource/jaxb2-basics/pull/119 does it as well and could be merged in seconds (thus, version has to be bumped & released), rather than your PR with 646 files changed :)

laurentschoelens commented 1 year ago

Yes for sure but @mattrpav plans to move to jakarta so I suppose this will be the plan. He'll do the best choice I think

laurentschoelens commented 1 year ago

@winne42 you can use new jaxb2-basics coordinates in jaxb-tools repository Version 2.0.4 available with some bugfixes in it. Will publish new version here too with same fix and relocation info

winne42 commented 1 year ago

Hello @laurentschoelens , thanks for the info! I don't quite understand the relationship between jaxb2-basic and jaxb-tools yet (and I couldn't find info in the README.mds). Does jaxb2-basics now live in the jaxb-tools repo and this repo here is obsolete? Is there a separate artifact or are jaxb2-basics' classes included in the jaxb-tools artifact? Should I just use org.jvnet.jaxb:jaxb2-basics-tools:2.0.4 as dependency?

This is still a bit confusing. jaxb-tools' README.md even includes git conflict markers ;-)

laurentschoelens commented 1 year ago

Yes: we decided, in order to provide jakarta versions of all artifacts, to merge all jaxb-related repositories in former maven-jaxb2-plugin repository, renamed as jaxb-tools. Everything still splitted (and as independant as it should be) and will stay splitted in maven artifacts.

README.md is currently rewritten too (PR waiting to be merged) in jaxb-tools. After jakarta migration, we'll do some cleanup on "deprecated" repositories, adding mentions in README.md and releasing a latest version with maven relocation infos.

You can use the following to build with commons-beanutils upgraded. Feel free to get back if any problems

<dependency>
    <groupId>org.jvnet.jaxb</groupId>
    <artifactId>jaxb2-basics</artifactId>
    <version>2.0.4</version>
</dependency>

winne42 commented 1 year ago

Thanks for the quick and thorough explanation, @laurentschoelens !

laurentschoelens commented 1 year ago

Fixed artifactId which was not the one to be declared as plugin dependency

laurentschoelens commented 8 months ago

Fixed in jaxb-tools v2 branch and further