You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/06/25 06:10:00 UTC
[jira] [Commented] (WSS-675) WSS4J 2.3.0 exposes Guava
[ https://issues.apache.org/jira/browse/WSS-675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17144666#comment-17144666 ]
Colm O hEigeartaigh commented on WSS-675:
-----------------------------------------
There was a compile time dependency on Guava in previous releases as well, just coming in from OpenSAML, e.g. on the 2_2_X-fixes branch:
[INFO] | +- com.google.guava:guava:jar:19.0:compile
The reason I explicitly added it in the pom for 2.3.0 was to override the OpenSAML version, as it has a CVE associated with it. It can be excluded in any case, if you are not using OpenSAML.
> WSS4J 2.3.0 exposes Guava
> -------------------------
>
> Key: WSS-675
> URL: https://issues.apache.org/jira/browse/WSS-675
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 2.3.0
> Reporter: Philip Helger
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> Hi,
> since v2.3.0 ws-security-commons exposes the Guava dependency.
> Is that really necessary or can we live without that additional dependency?
> Thanks, Philip
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org