Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump commons-beanutils #161

Closed
winne42 opened this issue Sep 23, 2022 · 10 comments
Closed

Bump commons-beanutils #161

winne42 opened this issue Sep 23, 2022 · 10 comments

Comments

@winne42
Copy link

winne42 commented Sep 23, 2022

Hi there, we are currently using jaxb2-basics:0.13.1
Unfortunately, this has a dependency to commons-beanutils:commons-beanutils:1.9.3, which has a known security vulnerability, see https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.9.3

Is there any chance we could get a 0.13.2 relase that uses beanutils 1.9.4 instead?
@neseleznev neseleznev mentioned this issue Oct 18, 2022
Open
@laurentschoelens laurentschoelens mentioned this issue Mar 7, 2023
Closed
@laurentschoelens
Copy link
Collaborator

Hi @winne42 : upgrade done in PR #165

@winne42
Copy link
Author

winne42 commented Mar 7, 2023

@laurentschoelens great, thanks!

@neseleznev
Copy link

neseleznev commented Mar 7, 2023
edited
Loading

Hi @winne42 : upgrade done in PR #165

Thank you for this, but I suppose that #119 does it as well and could be merged in seconds (thus, version has to be bumped & released), rather than your PR with 646 files changed :)

@laurentschoelens
Copy link
Collaborator

Yes for sure but @mattrpav plans to move to jakarta so I suppose this will be the plan. He'll do the best choice I think

@laurentschoelens
Copy link
Collaborator

@winne42 you can use new jaxb2-basics coordinates in jaxb-tools repository
Version 2.0.4 available with some bugfixes in it.
Will publish new version here too with same fix and relocation info

@winne42
Copy link
Author

winne42 commented Aug 22, 2023

Hello @laurentschoelens , thanks for the info! I don't quite understand the relationship between jaxb2-basic and jaxb-tools yet (and I couldn't find info in the README.mds).
Does jaxb2-basics now live in the jaxb-tools repo and this repo here is obsolete? Is there a separate artifact or are jaxb2-basics' classes included in the jaxb-tools artifact? Should I just use org.jvnet.jaxb:jaxb2-basics-tools:2.0.4 as dependency?

This is still a bit confusing. jaxb-tools' README.md even includes git conflict markers ;-)

@laurentschoelens
Copy link
Collaborator

laurentschoelens commented Aug 22, 2023
edited
Loading

Yes: we decided, in order to provide jakarta versions of all artifacts, to merge all jaxb-related repositories in former maven-jaxb2-plugin repository, renamed as jaxb-tools. Everything still splitted (and as independant as it should be) and will stay splitted in maven artifacts.

README.md is currently rewritten too (PR waiting to be merged) in jaxb-tools.
After jakarta migration, we'll do some cleanup on "deprecated" repositories, adding mentions in README.md and releasing a latest version with maven relocation infos.

You can use the following to build with commons-beanutils upgraded.
Feel free to get back if any problems

<dependency>
    <groupId>org.jvnet.jaxb</groupId>
    <artifactId>jaxb2-basics</artifactId>
    <version>2.0.4</version>
</dependency>

@winne42
Copy link
Author

winne42 commented Aug 22, 2023

Thanks for the quick and thorough explanation, @laurentschoelens !

@laurentschoelens
Copy link
Collaborator

Fixed artifactId which was not the one to be declared as plugin dependency

@laurentschoelens
Copy link
Collaborator

Fixed in jaxb-tools v2 branch and further

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neseleznev @winne42 @laurentschoelens