I have been hunting down old security "vulnerable" versions of struts that have been showing up in my .m2 directory, which is raising flags from my Security people. The dependency seems to be coming from an old doxia-site-renderer. It has been updated to not have a dependency on struts at all with version 1.9.2. Many of the maven plugins have been updated and released using this updated version of doxia-site-renderer. Unfortunately maven-dependency-plugin has not been released with this update. So it is impossible to fully update to that version of doxia-site-renderer, as the version from the maven-dependency-plugin 3.1.2 cannot be updated by specifically overriding the dependency version in pluginManagement before it pulls down struts (chicken and egg issue). Looking at the repo on github, there was a tag created for maven-dependency-plugin 3.1.3 which looks to use the updated doxia-site-renderer back in Oct. 2020, but it has not been released (or at least maven central still only has v3.1.2). Is there a plan for releasing it or a newer version soon?
Thanks, Tom
