[
https://issues.apache.org/jira/browse/MDEP-775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17428167#comment-17428167
]
Gazy Mahomar edited comment on MDEP-775 at 10/13/21, 11:45 AM:
---------------------------------------------------------------
I will see what IT has to say. You can go ahead and close this issue, as far as
I'm concerned. Thanks for the help.
was (Author: gmahomarf):
I will see what IT has to say. You can go ahead and close this issue. Thanks
for the help.
> Update velocity-tools from 2.0 to a newer version that doesn't depend on
> struts 1.3.8
> -------------------------------------------------------------------------------------
>
> Key: MDEP-775
> URL: https://issues.apache.org/jira/browse/MDEP-775
> Project: Maven Dependency Plugin
> Issue Type: Dependency upgrade
> Reporter: Gazy Mahomar
> Priority: Major
> Fix For: waiting-for-feedback, wontfix-candidate
>
>
> The Dependency plugin depends on {{org.apache.velocity:velocity-tools:2.0}},
> which in turn depends on {{org.apache.struts:struts-core 1.3.8}}. As
> mentioned in MDEP-626, {{struts-core:1.3.8}} has several CVEs against it. For
> those of us with overzealous IT departments in corporate environments, this
> presents a problem, as the {{struts-core:1.3.8}} jar constantly triggers
> vulnerability checks.
> Would it be possible to update {{velocity-tools}} to a newer version without
> struts?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
