search

jenkinsci / java-client-api

A Jenkins API client for Java
MIT License
901 stars 470 forks source link

Please release a new version. #454

Open andregmoeller opened 4 years ago

andregmoeller commented 4 years ago

First off thanks for all the work that has gone into this library! Currently, the latest release of java-client-api is 0.3.8. It depends on com.fasterxml.jackson.core:jackson-databind:2.3.4, which has several vulnerabilities – see the GitHub Advisory Database I expect that most, if not all, vulnerabilities are irrelevant in context of java-client-api. But nevertheless I would like to ask you to release a new version of java-client-api, which depends on a newer version of com.fasterxml.jackson.core:jackson-databind. I see that the current pom.xml references com.fasterxml.jackson.core:jackson-databind:2.9.9, which has much less vulnerabilities, and there is PR #450, which suggests to bump jackson-databind.version to 2.10.3. At work, we are using OWASP Dependency Check to scan Java projects to identify the use of known vulnerable components. It reports that one of my projects uses a component that has known critical vulnerabilities. The reason for that is that the respective project depends on java-client-api:0.3.8, which depends on com.fasterxml.jackson.core:jackson-databind:2.3.4. I saw that Milestone 0.4.0 is 79% complete. Is it necessary to close of all of the remaining open issues? Which ones are the most important ones?

LucasSegersFabro commented 4 years ago

I also have a dependency problem.

The dependencies javen:jaxen:1.1.6 and xml-apis:xml-apis:1.4.01 brings a package that already comes from Java 11: org.w3c.dom so I have a conflict.

Maven repository also says that xml-apis was moved to xerces:xmlParserAPIs

walnut-tom commented 4 years ago

Is it no one to maintain?

mivola commented 4 years ago

@khmarbaise do you think you can create a new release in the next couple of days?

mivola commented 4 years ago

I know, nobody is getting paid for working on this nice library, but it's really sad it doesnt get the support/attention it deserves/requires ... :-(

vadipp commented 1 year ago

Maybe some enthusiasts would work on this, if ever there would be any support from mainstream developer. Is the current state, even if someone would propose a pull request, it would not be accepted, as if the developer just abandoned it. But maybe there is a fork which is more "alive'? I couldn't find any, though.

walnut-tom commented 1 year ago

image