bhmohanr-techie commented on PR #25: URL: https://github.com/apache/commons-jxpath/pull/25#issuecomment-1282196815
[kyakdan](https://github.com/kyakdan) I'm still not convinced, Please help me understand one thing. Let's say I'm a JXPath user, and I'm not affected this vulnerability. JXPath is working all fine in my environment. Now, if we go ahead with you approach of specifying an allow list, then if I upgrade to the next JXPath version, then JXPath will stop working in my environment straight after upgrade, and I will need to set a system property to get it working again. This is an unnecessary ask from a user, who didn't have any problem with JXPath so far. We are affecting existing user behavior, which to me is not acceptable for any product/solution. So, let please wait for JXPath maintainers on this, we should stick to what they suggest? They have better understanding of the JXPath code base and customers. @garydgregory @markt-asf @jvz @kinow @Paradox98 requesting your valuable suggestions here. Thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
