Tibor completed the work of removing dom4j library and reverted the change that
moves maven-archetype to Java 8 [1].
This change mitigates the vulnerability to CVE-2018-1000632 while retaining
Java 7 compatibility.
In the JIRA I asked about when this can be released and Tibor suggested that I
as
>>But there is one thing I do not understand why such upgrade is so important
>>for the users even if overriding the dependency in user's POM is so simple.
>>Do you inherit from this project and you need dom4j as transitive dependency?
I suppose you did not ask me, but I thought I'd share the bac
maintainer? Sometimes a friendly ping through back channels
can work wonders.
On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony wrote:
>
> >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be
scheduled.
> FWIW, there was an issue logged asking
o important to drop Java 7
> > > > > compatibility this soon.
> > > > >
> > > >
> > > > Are you -1 with this change ?
> > > > If an user wan't to use java 7 he can use current version of the
> plugin.
Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to
CVE-2018-1000632 [1].
I filed ARCHETYPE-567 [2] to track this.
In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed.
dom4j 2.1.x requires Java 8+ [3].
dom4j 2.0.x would retain compatibility with Java 7 (