Currently, we ship a version of vnu.jar which uses log4j v1.2.17 and commons-fileupload v1.3.1 both of which have severe (probably irrelevant) vulnerabilities. This is preventing automatic deployment of html5validator in secure environments. As the upstream maintainers do not want to update their log4j dependency, we have to either patch it locally or drop the dependency on vnu.jar.
Currently, we ship a version of
vnu.jar
which useslog4j v1.2.17
andcommons-fileupload v1.3.1
both of which have severe (probably irrelevant) vulnerabilities. This is preventing automatic deployment of html5validator in secure environments. As the upstream maintainers do not want to update their log4j dependency, we have to either patch it locally or drop the dependency onvnu.jar
.