[
https://issues.apache.org/jira/browse/TIKA-4532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18033931#comment-18033931
]
Tim Allison edited comment on TIKA-4532 at 10/29/25 6:47 PM:
-------------------------------------------------------------
I started work on this for kicks but then realized that commons-lang3 is
brought in transitively by jackcess, commons-compress, ctakes...etc.
Even if we removed it from Tika, can we exclude it safely from those
dependencies?
And to be clear, I agree with Tilman. This is a fair amount of work for not
much benefit as far as I can see. Parsing is dangerous. We have a lot of
dependencies. Knocking out one isn't going to make things significantly better.
That said, yes, we should try to decrease our attack surface as we can.
was (Author: [email protected]):
I started work on this for kicks but then realized that commons-lang3 is
brought in transitively by jackcess, commons-compress, ctakes...etc.
Even if we removed it from Tika, can we exclude it safely from those
dependencies?
> Drop commons-lang3 dependency
> -----------------------------
>
> Key: TIKA-4532
> URL: https://issues.apache.org/jira/browse/TIKA-4532
> Project: Tika
> Issue Type: Improvement
> Affects Versions: 3.2.3
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> Currently, there are only a few commons-lang3 usages in apache tika (see
> https://github.com/search?q=repo%3Aapache%2Ftika%20commons.lang3&type=code ),
> and it would be great if
> commons-lang3 is a big dependency with lots of stuff, and it is unfortunate
> to get CVEs via commons-lang3:
> https://mvnrepository.com/artifact/org.apache.commons/commons-lang3
> See https://github.com/apache/maven-doxia/issues/1006
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
