Don't depend on version 3.1 of commons-httpclient

narupley / not-going-to-be-commons-ssl

A Java 9, 10, 11+ compliant fork of Not-Yet-Commons-SSL

Apache License 2.0

15 stars 7 forks source link

Don't depend on version 3.1 of commons-httpclient #7

Open bwf93 opened 4 years ago

bwf93 commented 4 years ago

commons-httpclient version 3.1 has several known vulnerabilities. The artifact is renamed for 4.x and should be used instead

narupley commented 4 years ago

Aye aye! I'll try to make some time in the near future to address this and some of the other issues!

gthazmatt commented 4 years ago

I second the request. If it helps at all, the main issue you'll have with migrating will be with the HttpSecureProtocol class as the SecureProtocolSocketFactory class has been completely removed. I don't see anything resembling an alternative to it.