Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)

2019-06-10 Thread Homer, Tony
Tibor completed the work of removing dom4j library and reverted the change that moves maven-archetype to Java 8 [1]. This change mitigates the vulnerability to CVE-2018-1000632 while retaining Java 7 compatibility. In the JIRA I asked about when this can be released and Tibor suggested that I as

Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)

2019-06-03 Thread Homer, Tony
>>But there is one thing I do not understand why such upgrade is so important >>for the users even if overriding the dependency in user's POM is so simple. >>Do you inherit from this project and you need dom4j as transitive dependency? I suppose you did not ask me, but I thought I'd share the bac

Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)

2019-06-03 Thread Homer, Tony
maintainer? Sometimes a friendly ping through back channels can work wonders. On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony wrote: > > >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be scheduled. > FWIW, there was an issue logged asking

Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)

2019-06-03 Thread Homer, Tony
o important to drop Java 7 > > > > > compatibility this soon. > > > > > > > > > > > > > Are you -1 with this change ? > > > > If an user wan't to use java 7 he can use current version of the > plugin.

proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)

2019-05-31 Thread Homer, Tony
Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to CVE-2018-1000632 [1]. I filed ARCHETYPE-567 [2] to track this. In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed. dom4j 2.1.x requires Java 8+ [3]. dom4j 2.0.x would retain compatibility with Java 7 (