On Monday, June 3, 2019, Tibor Digana wrote:
>
> We are the maintainers.
Beware this kind of statements hurt the project and its community.
> Do you inherit from this project and you need dom4j as transitive
> dependency?
More or less yes. M2E embeds maven-archiver and transitive dependencie
Hi,
if dom4j is problematic I can try to remove that old dependency. We use it
internally in 2 placea (in fact almost only one simple method) - to manage
element in pom.xml
Sylwester
W dniu wt., 4.06.2019 o 09:36 Homer, Tony napisał(a):
> >>But there is one thing I do not understand why such u
>>But there is one thing I do not understand why such upgrade is so important
>>for the users even if overriding the dependency in user's POM is so simple.
>>Do you inherit from this project and you need dom4j as transitive dependency?
I suppose you did not ask me, but I thought I'd share the bac
>>Who's the maintainer?
https://github.com/FilipJirsak
>> Sometimes a friendly ping through back channels can work wonders.
I don't know him but I sent him an email and cc:ed you (Rusty).
On 6/3/19 , 10:12 AM, "Elliotte Rusty Harold" wrote:
Who's the maintainer? Sometimes a friendly ping t
@Mickael Istria
@Eric Lilja
@Elliotte Rusty Harold
We are the maintainers.
But there is one thing I do not understand why such upgrade is so important
for the users even if overriding the dependency in user's POM is so simple.
Do you inherit from this project and you need dom4j as transitive
de
Merged
On Sun 2 Jun 2019 at 11:44, Stephen Connolly <
stephen.alan.conno...@gmail.com> wrote:
> I’m going to add a test where the “newer” pom has an incompatible schema
> with only modelVersion retained to ensure the parser errors get dismissed
> and we bomb early with the modelVersion complaint
+1, people on old versions of Java can remain on the old version of the
plugin. No one who is in a project where an old version of Java is still in
use (< 8) expect to have everything else in their eco-system (3PPs, maven
plugins etc) at bleeding edge versions. I guess many such projects are many
v
People who don't want to update are the ones who have to pay the effort,
not the project that tries to ship a security fix.
The simplest past forward is the one provided by Tony. Customers who don't
want to use it can remain on previous version of the archetype plugins.
Other proposals to fix it ar
Who's the maintainer? Sometimes a friendly ping through back channels
can work wonders.
On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony wrote:
>
> >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be
> >>scheduled.
> FWIW, there was an issue logged asking for that on 6 December
>>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be
>>scheduled.
FWIW, there was an issue logged asking for that on 6 December 2018 [1].
I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 and
Java 8.
Just making sure this information is part of the di
First of all, this PR was create because of vulnerability CVE-2018-1000632.
Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an
argument for me.
If some code was broken in that version, it would be an argument. But it is
not an argument to infinitely grow versions only becau
I know there are plenty of places at Java 8+. There are also many who
haven't gotten that far. Some of my day job involves Java 7+ clients,
and I know of others even further back than that.
On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory wrote:
>
> FWIW, we are talking at work about Java 8 and 11 on
FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 is
in the distant past. Most people can't even get Java 7 updates since it is
EOL unless you pay.
Gary
On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold
wrote:
> I agree that this should be fixed. I'm not yet convinced
I agree that this should be fixed. I'm not yet convinced that
requiring Java 8 and upgrading to dom4j 2.1 is the bets fix.
On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli wrote:
>
> Elliotte,
>
> Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold <
> elh...@ibiblio.org> ha scritto:
>
>
Elliotte,
Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold <
elh...@ibiblio.org> ha scritto:
> Perhaps ask the dom4j developers first to see if a 2.0.3 release can
> be scheduled.
>
> And if that doesn't work, how much effort is it to switch off of dom4j
> completely?
>
> maven-arche
Perhaps ask the dom4j developers first to see if a 2.0.3 release can
be scheduled.
And if that doesn't work, how much effort is it to switch off of dom4j
completely?
maven-archetype strikes me as too important to drop Java 7
compatibility this soon.
On Fri, May 31, 2019 at 3:02 PM Homer, Tony
Tibor and I worked through this on the SUREFIRE issue above. I think it
makes sense to remove the link to the wiki but add a note to encourage
people to contribute on GitHub. I'm going to aim to make those changes
across all projects over the next few days.
Thanks Tibor for your guidance.
Jim
On
17 matches
Mail list logo
