[
https://issues.apache.org/jira/browse/TIKA-3003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17406589#comment-17406589
]
Andras Salamon commented on TIKA-3003:
--------------------------------------
There is a new jsoup CVE: [https://nvd.nist.gov/vuln/detail/CVE-2021-37714] so
removing jsoup would be rather useful.
> Remove unused dependencies
> --------------------------
>
> Key: TIKA-3003
> URL: https://issues.apache.org/jira/browse/TIKA-3003
> Project: Tika
> Issue Type: Improvement
> Components: parser
> Affects Versions: 2.0.0
> Reporter: César Soto Valero
> Priority: Minor
> Fix For: 2.0.0-BETA
>
>
> I noticed that dependency *org.jsoup:jsoup:1.12.1* is declared in module
> *tika-parsers* to prevent from having a vulnerable version from
> *edu.ucar:grib*. However, this dependency is not used and, therefore, it can
> be removed to make the pom clearer and the dependency tree of this module
> complex.
> In addition, dependency *net.sf.ehcache:ehcache-core*, induced transitively
> from *edu.ucar:cdm:4.5.5*, is not used and can be excluded safely. Notice
> that the size of the jar of *ehcache-core* is around 1.3MB, thus removing it
> has a positive impact on the size of *tika-parsers*.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
