Hi Robert, makes sense.
To clarify: We just provide this final version of commons.json as a convenience for all users who are still depending on commons.json; but there is no intention to continue development of commons.json or to re-introducing this dependency again into other areas of Sling. Correct? Jörg Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < romb...@apache.org>: > Hi, > > A long time ago we retired the commons.json module for legal reasons > [1], leaving it only in the SVN attic [2]. > > After some time a CVE was reported against this module [3] which we > could not fix as we could not release new versions. > > In the meantime, the JSON library we have been using has changed its > license to 'Public domain', which makes it acceptable for use at the > ASF. [4] > > I would like to create a GitHub repository for this module and include > the current state from the attic. This opens up the way for creating a > final service release, allowing consumers of this bundle that have not > cleaned up their usages to use non-vulnerable versions. > > I will leave this thread open for comments for 72 hours. > > Thanks, > Robert > > > [1]: https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > -- https://cqdump.joerghoh.de
