You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Jean-Louis Monteiro (Jira)" <ji...@apache.org> on 2022/01/19 10:25:00 UTC
[jira] [Commented] (TOMEE-3742) Drop patched dependencies
[ https://issues.apache.org/jira/browse/TOMEE-3742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17478538#comment-17478538 ]
Jean-Louis Monteiro commented on TOMEE-3742:
--------------------------------------------
I think the only remaining are Xalan and CXF.
The first one is not maintained so not much to do but patch and maintain ourselves.
For CXF, upgrading to latest version requires quite a lot of changes.
So I believe it's more a who can do it at the moment.
> Drop patched dependencies
> -------------------------
>
> Key: TOMEE-3742
> URL: https://issues.apache.org/jira/browse/TOMEE-3742
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 8.0.7
> Reporter: Romain Manni-Bucau
> Priority: Major
>
> Last tomee releases use a lot of patch dependencies.
> Most of them - not to say all ;) - are not needed but this way of doing broke a lot of applications. Just to give a few examples:
> # it breaks distro scanning (jar are unknown and CVE are missed which is super important for anyone have some security policy in companies) since jars are "corrupted" (from a scanning point of view)
> # it broke some features (default json providers can't be disabled as before breaking applications)
> # it makes it random to update backward compatible dependencies
> # it makes embedded mode quite random and behaving unexpectedly when not using the fork
>
> This ticket is about dropping all forks ensuring 1 and 4 are trivially solved by doing (back) nothing and if possible try to fix 2 (the json setup is just about reverting or integrating more with bus providers in cxf for ex).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)