Am 24.03.26 um 10:15 schrieb Vladimir Sitnikov:
That is true, it is a build-time dependency only. On the other hand, we might open a vector for our build system, when we run actions on untrusted PRs.Frankly, I think getting rid of Anakia might be valuable, however, currently it just works, so I haven't touched it even though it is problematic. At the same time, it is build-time only dependency, so it does not impact users much.
It is certainly not a super high risk currently.
The 1.x branch of velocity has a security problem, which is referenced byour github repo and we should try to do something about it. Been there, asked commons devs to release commons 2.x security fix: https://lists.apache.org/thread/c92czjl95vwzgcqhkwhjb643brlf6tpm I just noticed there was an unsent email draft: https://lists.apache.org/thread/w1kk0hjtp1bl585rypzco2v6fng3wklh Sure LLMs might help a lot with rework of the docs, however, I am afraid it would still take significant time.
I am not sure, whether we have to rework anything at all. My idea was to just drop the anakia docs and use the xslt ones as a one-to-one replacement.
Felix
PS. My current goal is to implement "explicitly set to empty" vs "unset" values for the UI controls. Vladimir
OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
