[jira] [Comment Edited] (MDEP-775) Update velocity-tools from 2.0 to a newer version that doesn't depend on struts 1.3.8

Wed, 13 Oct 2021 03:02:03 -0700 


    [ 
https://issues.apache.org/jira/browse/MDEP-775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428123#comment-17428123
 ] 

Gazy Mahomar edited comment on MDEP-775 at 10/13/21, 10:01 AM:
---------------------------------------------------------------

No joy. At this point I'm no longer sure if the issue is coming from this 
plugin. After checking out the repo and taking a look,  it's clear to me that 
MDEP-626 should have removed all references to struts. I can't tell where it's 
coming from, other than it's getting re-downloaded any time I run 
{{dependency:tree}}. Also, {{dependency:resolve-plugins}} shows no plugins that 
depend (in)directly on struts (and running it also downloads struts), so I'm at 
a loss.

I honestly think this issue can be closed, unless someone else wants to look 
into it. Thanks for the quick response and sorry for the noise.


was (Author: gmahomarf):
No joy. At this point I'm no longer sure if the issue is coming from this 
plugin. After checking out the repo and taking a look,  it's clear to me that 
MDEP-626 should have removed all references to struts. I can't tell where it's 
coming from, other than it's getting re-downloaded any time I run 
{{dependency:tree}}. Also, {{dependency:resolve-plugins}} shows no plugins that 
depend (in)directly on struts (and it also downloads struts), so I'm at a loss.

I honestly think this issue can be closed, unless someone else wants to look 
into it. Thanks for the quick response and sorry for the noise.

> Update velocity-tools from 2.0 to a newer version that doesn't depend on 
> struts 1.3.8
> -------------------------------------------------------------------------------------
>
>                 Key: MDEP-775
>                 URL: https://issues.apache.org/jira/browse/MDEP-775
>             Project: Maven Dependency Plugin
>          Issue Type: Dependency upgrade
>            Reporter: Gazy Mahomar
>            Priority: Major
>
> The Dependency plugin depends on {{org.apache.velocity:velocity-tools:2.0}}, 
> which in turn depends on {{org.apache.struts:struts-core 1.3.8}}. As 
> mentioned in MDEP-626, {{struts-core:1.3.8}} has several CVEs against it. For 
> those of us with overzealous IT departments in corporate environments, this 
> presents a problem, as the {{struts-core:1.3.8}} jar constantly triggers 
> vulnerability checks. 
> Would it be possible to update {{velocity-tools}} to a newer version without 
> struts?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to