Backport fix for CVE-2023-4863 to release branch 0.4.x

[fgrilli]

v0.5.0 has been released which should contain binaries built from v1.3.2 tag.

Thanks you for bringing the issue to my attention, I missed that Internet got broken recently 😅

Thanks again for fixing this! Hopefully it's not asking too much but would it be possible to release a 0.4.2 patch version without this breaking change? Our codebase still requires Java 1.8 and after updating to v0.5.0 we're getting lots of java.lang.NoClassDefFoundError: Could not initialize class javax.imageio.ImageIO 💥

Originally posted by @fgrilli in https://github.com/usefulness/webp-imageio/issues/131#issuecomment-1739384020

[mateuszkwiecinski]

Hey 👋 I'm afraid this cannot be easily done :/ The CI pipeline isn't prepared to build from any commit, and that's not an area I'd like to invest my free time. I'm willing to bring back Java 8 compatibility, but only in a form of a Multi-Release Jar format. I can't share any time frame when I'll be able to work on this, nor if I'm even capable to achieve such end result 😅

If you need Java 8 support and you cannot upgrade Java version in the nearest future, I can suggest forking the project and building your own jars. It shouldn't be that difficult since there were no changes in the native bindings, so you can even probably re-use native binaries without building them yourself.

Just out fo curiosity: Would you mind sharing why your codebase had stuck on such an old Java runtime? What kind of challenges you have to deal with before you can safelt upgrade to more recent version?

[fgrilli]

Hey, thanks for your reply. I guess we'll have to bite the bullet and build our own jars. As to why we're still stuck with Java 1.8, basically it's for maintenance and compatibility needs but we're also working on modernising our tech stack at the same time.

[ThexXTURBOXx]

For anyone wondering: My fork is completely compatible with Java 8 and can be built with jitpack: https://github.com/ThexXTURBOXx/webp-imageio