Open andregmoeller opened 4 years ago
I also have a dependency problem.
The dependencies javen:jaxen:1.1.6
and xml-apis:xml-apis:1.4.01
brings a package that already comes from Java 11: org.w3c.dom
so I have a conflict.
Maven repository also says that xml-apis
was moved to xerces:xmlParserAPIs
Is it no one to maintain?
@khmarbaise do you think you can create a new release in the next couple of days?
I know, nobody is getting paid for working on this nice library, but it's really sad it doesnt get the support/attention it deserves/requires ... :-(
Maybe some enthusiasts would work on this, if ever there would be any support from mainstream developer. Is the current state, even if someone would propose a pull request, it would not be accepted, as if the developer just abandoned it. But maybe there is a fork which is more "alive'? I couldn't find any, though.
First off thanks for all the work that has gone into this library! Currently, the latest release of
java-client-api
is0.3.8
. It depends oncom.fasterxml.jackson.core:jackson-databind:2.3.4
, which has several vulnerabilities – see the GitHub Advisory Database I expect that most, if not all, vulnerabilities are irrelevant in context ofjava-client-api
. But nevertheless I would like to ask you to release a new version ofjava-client-api
, which depends on a newer version ofcom.fasterxml.jackson.core:jackson-databind
. I see that the current pom.xml referencescom.fasterxml.jackson.core:jackson-databind:2.9.9
, which has much less vulnerabilities, and there is PR #450, which suggests to bumpjackson-databind.version
to2.10.3
. At work, we are using OWASP Dependency Check to scan Java projects to identify the use of known vulnerable components. It reports that one of my projects uses a component that has known critical vulnerabilities. The reason for that is that the respective project depends onjava-client-api:0.3.8
, which depends oncom.fasterxml.jackson.core:jackson-databind:2.3.4
. I saw that Milestone 0.4.0 is 79% complete. Is it necessary to close of all of the remaining open issues? Which ones are the most important ones?