enapps-enorman commented on PR #34: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/34#issuecomment-1619044378
> in this case guava is a dependency of the also embedded https://github.com/OWASP/java-html-sanitizer, so we need it here and even in a specific version. maybe we can get rid of it when if [OWASP/java-html-sanitizer#272](https://github.com/OWASP/java-html-sanitizer/pull/272) gets resolved. It would definitely be great to see people stop using guava when it is not necessary. But I'm not sure your conclusion is quite right. I assume the guava dependency is more of a "minimum" version (30.1-jre?) rather than a specific version. The 32.0.1-jre version in oak-shaded-guava should be compatible? In that case, then if you configure the maven-shade-plugin to use the same re-written package name as the oak-shaded-guava uses, then it would rewrite the third-party binary bytecode to be compatible. At that point, there should be no need to embed any of the com.google.common.* as a private package here. The runtime could resolve those from the oak-shaded-guava bundle instead and the xss bundle would go from ~4MB to ~2MB without losing any functionality. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
