This is an automated email from the ASF dual-hosted git repository.

ddekany pushed a commit to branch 2.3-gae
in repository https://gitbox.apache.org/repos/asf/freemarker.git

commit 054b2907974751970ca7fc3629d9f03a460d5144
Author: ddekany <[email protected]>
AuthorDate: Sat Oct 23 23:37:05 2021 +0200

    [FREEMARKER-190]: Updated dom4j version used during FreeMarker project 
compilation from 1.3 to 2.1.3. Users can still use FreeMarker with dom4j 1.3 
(mostly just luck, but it works). We were forced to do this because old dom4j 
versions have security vulnerabilities, and although FreeMarker is not affected 
by them (like we do not pull in dom4j as dependency into the projects of our 
users), we were flagged as vulnerable at certain places for merely supporting 
1.3.
---
 ivy.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ivy.xml b/ivy.xml
index e21534f..dad9ff2 100644
--- a/ivy.xml
+++ b/ivy.xml
@@ -93,14 +93,14 @@
     <dependency org="jaxen" name="jaxen" rev="1.0-FCS" 
conf="build.base->default" />
     <dependency org="saxpath" name="saxpath" rev="1.0-FCS" 
conf="build.base->default" />
     <dependency org="xalan" name="xalan" rev="2.7.0" 
conf="build.base->default">
-      <!-- The lowerst supported xml-apis version depends on JDK version; 
prevent any collosion: -->
+      <!-- The lowerst supported xml-apis version depends on JDK version; 
prevent any collision: -->
       <exclude org="xml-apis" module="xml-apis" />
     </dependency>
-    <dependency org="dom4j" name="dom4j" rev="1.3" conf="build.base->default" 
/> <!-- legacy -->
+    <dependency org="org.dom4j" name="dom4j" rev="2.1.3" 
conf="build.base->default" /> <!-- legacy -->
     <dependency org="jdom" name="jdom" rev="1.0b8" conf="build.base->default" 
/> <!-- legacy -->
 
     <dependency org="ant" name="ant" rev="1.6.5" conf="build.base->default">
-      <!-- The lowerst supported xml-apis version depends on JDK version; 
prevent any collosion: -->
+      <!-- The lowerst supported xml-apis version depends on JDK version; 
prevent any collision: -->
       <exclude org="xml-apis" module="xml-apis" />
     </dependency>
     

Reply via email to