ESAPI excludes transitive dependency xalan from xom, but does not include it itself #795
Labels
Comments
|
IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan. We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks. |
|
Ok, great, that's even better! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
ESAPI excludes transitive dependency xalan from xom, but does not include it itself
see
https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73
it states
Specify what ESAPI version(s) you are experiencing this bug in
2.5.2.0
To Reproduce
run
mvn dependency:treeExpected behavior
Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)
The text was updated successfully, but these errors were encountered: