[
https://issues.apache.org/jira/browse/MDEP-775?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov updated MDEP-775:
--------------------------------
Fix Version/s: wontfix-candidate
> Update velocity-tools from 2.0 to a newer version that doesn't depend on
> struts 1.3.8
> -------------------------------------------------------------------------------------
>
> Key: MDEP-775
> URL: https://issues.apache.org/jira/browse/MDEP-775
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Reporter: Gazy Mahomar
> Priority: Major
> Fix For: wontfix-candidate
>
>
> The Dependency plugin depends on {{org.apache.velocity:velocity-tools:2.0}},
> which in turn depends on {{org.apache.struts:struts-core 1.3.8}}. As
> mentioned in MDEP-626, {{struts-core:1.3.8}} has several CVEs against it. For
> those of us with overzealous IT departments in corporate environments, this
> presents a problem, as the {{struts-core:1.3.8}} jar constantly triggers
> vulnerability checks.
> Would it be possible to update {{velocity-tools}} to a newer version without
> struts?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
