vlsi opened a new issue, #1006: URL: https://github.com/apache/maven-doxia/issues/1006
### New feature, improvement proposal Currently, `doxia-core` depends on `commons-lang3` and `commons-text` which in turn depends on `commons-lang3`. The problem is that there's a known CVE for `commons-lang3` which impacts the users. For instance, a recent Checkstyle suffers from the CVE: ``` +--- com.puppycrawl.tools:checkstyle:10.26.1 | +--- org.apache.maven.doxia:doxia-core:1.12.0 | +--- org.apache.maven.doxia:doxia-core:1.12.0 ... | | +--- org.apache.commons:commons-lang3:3.8.1 | | +--- org.apache.commons:commons-text:1.3 | | | \--- org.apache.commons:commons-lang3:3.7 -> 3.8.1 ``` Could you please consider removing the uses of `commons-lang3` and `commons-text`? As far as I understand, the use of `commons-lang3` is minimal: https://github.com/search?q=repo%3Aapache%2Fmaven-doxia%20org.apache.commons.lang3&type=code The same goes for `commons-text`: https://github.com/search?q=repo%3Aapache%2Fmaven-doxia+org.apache.commons.text&type=code FYI Checkstyle team removed their use of commons-lang3 in 2016: https://github.com/checkstyle/checkstyle/issues/2428 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
