RemoLiechti opened a new pull request, #2: URL: https://github.com/apache/sling-org-apache-sling-commons-json/pull/2
This PR mainly fixes the CVE-2022-47937-json, exploits that ended in out of memory or stackoverflows. To achieve this, the re-licenced base library JSON-java (now public domain) was used as of version [20240303](https://github.com/stleary/JSON-java/releases/tag/20240303) and adapted to be backwards compatible without breaking changes. Besides that, some additional maintenance was completed: - junit tests were migrated to junit5 - parent pom updated to 52 along with all migration steps needed Good to know: The library lost the 'tidy' feature, which is no longer present. For backwards compatibility, the related methods (setTidy, is Tidy) were stubbed to avoid compilation errors or the need to recompile all depending projects. Questions to reviewers: 1. There is a junit test (not committed to the repo) that validates the CVE exploits no longer working. Is there an interest to store that somewhere non public? If so, where and how. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
