carlosame commented on PR #2: URL: https://github.com/apache/xalan-java/pull/2#issuecomment-1194140628
> @carlosame , I did not intend to fix CVEs in this PR. I just wanted to add CI so all the further modifications could be tested. To "fix" the CVE, all you need to do is to remove the BCEL packages from the jar, and then list BCEL as a dependency. Now the CVE belongs to somebody else. And to be friendly to modular JDKs, you have to do the same for the rest of the foreign packages that are currently shipped with Xalan. All of this could be done in this PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
