Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MDEP-831] remove unused beanutils dependency #268

Merged
merged 1 commit into from
Nov 27, 2022
Merged

[MDEP-831] remove unused beanutils dependency #268

merged 1 commit into from
Nov 27, 2022

Conversation

elharo
Copy link
Contributor

@elharo elharo commented Nov 27, 2022

@elharo
Copy link
Contributor Author

elharo commented Nov 27, 2022

@elharo elharo merged commit ea2a668 into master Nov 27, 2022
@elharo elharo deleted the bean branch November 27, 2022 21:08
@slawekjaranowski
Copy link
Member

@elharo , @slachiewicz

It was added in order to override transitive version, now we have version 1.7.0 - please examine dependency tree

Why we need newer version ... because of CVE ...

Probably better place will be dependencyManagement for such case.

@elharo
Copy link
Contributor Author

elharo commented Dec 5, 2022

Adding an extra dependency is not the right way to handle this. DependencyManagement might be better but is not really right for this case either. This needs to be fixed in whatever dependency is pulling in the old version.

@elharo
Copy link
Contributor Author

elharo commented Dec 5, 2022

Seems like the correct way to handle this is by releasing org.apache.maven.doxia:doxia-site-renderer:2.0.0 and then upgrading the dependency plugin to that version.

@slawekjaranowski
Copy link
Member

You right fixing such issue at source is the best way, but until it happens we should have some workaround.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants