[
https://issues.apache.org/jira/browse/AMQ-9388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher L. Shannon updated AMQ-9388:
----------------------------------------
Description:
While reviewing the 6.0.0 release I noticed that the newly added
{{camel-activemq }}module pulls in {{activemq-client-jakarta}} as a transitive
dependency. This makes sense since the version used is based on ActiveMQ 5.18.2
as 6.0.0 isn't released yet.
We need to exclude this because with version 6.0.0 this module no longer exists
so is not needed and secondly the 5.18.2 version has a CVE against it. The
dependency in the current release is not included in the tar distribution but
since it is transitively being pulled in with maven if someone has a dependency
on the apache-activemq pom they will have the jar pulled into their build.
was:
While reviewing the 6.0.0 release I noticed that the newly added camel-activemq
module pulls in activemq-client-jakarta as a transitive dependency. This makes
sense since the version used is based on ActiveMQ 5.18.2 as 6.0.0 isn't
released yet.
We need to exclude this because with version 6.0.0 this module no longer exists
so is not needed and secondly the 5.18.2 version has a CVE against it. The
dependency in the current release is not included in the tar distribution but
since it is transitively being pulled in with maven if someone has a dependency
on the apache-activemq pom they will have the jar pulled into their build.
> camel-activemq transitively pulls in activemq-client-jakarta
> ------------------------------------------------------------
>
> Key: AMQ-9388
> URL: https://issues.apache.org/jira/browse/AMQ-9388
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker
> Reporter: Christopher L. Shannon
> Assignee: Christopher L. Shannon
> Priority: Major
> Fix For: 6.0.0
>
>
> While reviewing the 6.0.0 release I noticed that the newly added
> {{camel-activemq }}module pulls in {{activemq-client-jakarta}} as a
> transitive dependency. This makes sense since the version used is based on
> ActiveMQ 5.18.2 as 6.0.0 isn't released yet.
> We need to exclude this because with version 6.0.0 this module no longer
> exists so is not needed and secondly the 5.18.2 version has a CVE against it.
> The dependency in the current release is not included in the tar distribution
> but since it is transitively being pulled in with maven if someone has a
> dependency on the apache-activemq pom they will have the jar pulled into
> their build.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
