rombert commented on PR #34: URL: https://github.com/apache/sling-org-apache-sling-xss/pull/34#issuecomment-1619728479
Speaking as the main reviewer for SLING-7231, I fully agree that we should stay away from Guava. That change was made when it became clear that AntiSamy was not the right tool for us anymore. It required us to play all sorts of weird games with embedding XML libraries and fiddling with classloaders. Some of those embedded libraries are both EOL and affected by critical CVEs. We switched to the OWASP Java HTML Sanitizer which looks better but (IMO) also does not see that much activity, so I think the Guava dependency is here to stay in the medium run, unfortunately. While, as a rule, we should try and import dependant bundles, we are embedding the Sanitizer (and playing tricks with the with it ( #32 ) ) so I think we should also keep the Guava dependency embedded in the bundle. oak-shaded-guava sounds like Oak trying allow other libraries to use which Guava library they want, which is great. In that direction, I think that Sling bundles should not require Guava at all and allow downstream applications do deploy whichever version of Guava they need. Looking the latest Sling Starter, I see only the Oak bundles and our own Oak-Server import Guava pacakges  Once Oak is "Guava-free", it might be a good idea for us to use it from Oak-Server as well and then drop our copy of Guava from the Starter. ------ On a final note, with the new library the XSS bundle is still very large, but down by a more than 40% ``` $ curl --silent --head https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.xss/2.2.20/org.apache.sling.xss-2.2.20.jar | grep '^content-length' content-length: 6831549 curl --silent --head https://repo1.maven.org/maven2/org/apache/sling/org.apache.sling.xss/2.3.8/org.apache.sling.xss-2.3.8.jar | grep '^content-length' content-length: 4008615 ``` Hopefully once upstream drops Guava we can reduce the bundle size even more. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
