You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/06/25 06:10:00 UTC

[jira] [Commented] (WSS-675) WSS4J 2.3.0 exposes Guava

    [ https://issues.apache.org/jira/browse/WSS-675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17144666#comment-17144666 ] 

Colm O hEigeartaigh commented on WSS-675:
-----------------------------------------

There was a compile time dependency on Guava in previous releases as well, just coming in from OpenSAML, e.g. on the 2_2_X-fixes branch:

[INFO] | +- com.google.guava:guava:jar:19.0:compile

The reason I explicitly added it in the pom for 2.3.0 was to override the OpenSAML version, as it has a CVE associated with it. It can be excluded in any case, if you are not using OpenSAML.

> WSS4J 2.3.0 exposes Guava
> -------------------------
>
>                 Key: WSS-675
>                 URL: https://issues.apache.org/jira/browse/WSS-675
>             Project: WSS4J
>          Issue Type: Improvement
>          Components: WSS4J Core
>    Affects Versions: 2.3.0
>            Reporter: Philip Helger
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> Hi,
> since v2.3.0 ws-security-commons exposes the Guava dependency.
> Is that really necessary or can we live without that additional dependency?
> Thanks, Philip



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org