[
https://issues.apache.org/jira/browse/MJAVADOC-545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691637#comment-16691637
]
Michael Osipov commented on MJAVADOC-545:
-----------------------------------------
That's a tricky one, it is a deep trans dep. The enitre Doxia change needs to
switch to Velocity Engine 2.0 and Velocity Tools 3.0. If some newer version is
binary compatible you can easily change his in your parent POM. Is that an
option for you?
> Struts 1.3.8
> ------------
>
> Key: MJAVADOC-545
> URL: https://issues.apache.org/jira/browse/MJAVADOC-545
> Project: Maven Javadoc Plugin
> Issue Type: Dependency upgrade
> Components: javadoc
> Affects Versions: 3.0.1
> Reporter: Chris Scott
> Priority: Major
>
> Our security audits have reported that this plugin has a dependency on Struts
> 1.3.8 which has several critical security flaws. Although this is a
> build-time only plugin, this still represents a security issue. That version
> of Struts is also EOL which is far from ideal. Is there any way to update?
> [https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/version_id-164423/Apache-Struts-1.3.8.html]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
