On Mon, Nov 6, 2023 at 11:30 AM Oliver Hanraths wrote: > > that would be much appreciated. >
We will do a minor bugfix release soon, but I want to include TAP5-2768 (another pentest finding) which should be done tomorrow. > Yeah, I know. Even though the affected file won’t be used by the > application it would still be there and be detected by security scanners > on the server. > Our pentest was "black box", so we only needed the override to mitigate. > Or do you happen to know a way to exclude the file (from within the > Tapestry core lib) from the final war file, e. g. a Gradle task? > I've looked into it, but there seems to be no simple solution like using exclude(...) in Gradle. If you really can't wait for 5.8.4, two options come to mind: - Build your own Tapestry jars and use those. We did this in the past, but we run our own Sonatype Nexus. Thanks to GitHub Actions and GitHub Packages, it might be easier now, but it's still some work to set up. - Extract war/jar, remove the file, and re-zip everything correctly before deployment. Cheers Ben
