ptuomola commented on pull request #1259: URL: https://github.com/apache/fineract/pull/1259#issuecomment-677292194
So I looked at the dependency tree with and without the excludes - and that clearly shows the problem caused by removing the exclude: With excludes, both the API and the runtime are pointing to the same version (2.3.3) - which sounds good. We are using the Glassfish JAR for the implementation and the Jakarta JAR for the API - I don't think that's an issue, but of course we could try to switch both to use the Jakarta JAR and see if that makes any difference. However, if we remove the excludes, we seem to have two different versions of API in the classpath (2.3.1 and 2.3.3) as well as two different versions of the runtime (2.2.3-1 and 2.3.3). Which really does not sound good. So I don't think this PR - i.e. removing the excludes - is the right solution. Instead would be good to understand what is this data leak and why is it caused by the JAXB version. Is there a JAXB bug that you've been able to trace this to? Or any other insights? I still don't know how to reproduce this so not sure I can help much here... For reference, here are the dependencies With exclude: compile: +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3 runtime: +--- org.ehcache:ehcache -> 3.8.1 | \--- org.glassfish.jaxb:jaxb-runtime:2.3.1 -> 2.3.3 | +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.3 (*) +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3 Without exclude: compile +--- com.sun.jersey:jersey-json -> 1.19.4 | +--- com.sun.xml.bind:jaxb-impl:2.2.3-1 | | \--- javax.xml.bind:jaxb-api:2.2.2 -> 2.3.1 +--- jakarta.xml.bind:jakarta.xml.bind-api -> 2.3.3 runtime +--- com.sun.jersey:jersey-json -> 1.19.4 | +--- com.sun.xml.bind:jaxb-impl:2.2.3-1 | | \--- javax.xml.bind:jaxb-api:2.2.2 -> 2.3.1 +--- org.dom4j:dom4j -> 2.1.3 | \--- javax.xml.bind:jaxb-api:2.2.12 -> 2.3.1 (*) +--- org.ehcache:ehcache -> 3.8.1 | \--- org.glassfish.jaxb:jaxb-runtime:2.3.1 -> 2.3.3 | +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.3 (*) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
