You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2022/12/04 19:05:00 UTC
[jira] [Commented] (MSHARED-848) Code Improvement in ReaderFactory to get rid of commons-io dependency
[ https://issues.apache.org/jira/browse/MSHARED-848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17643064#comment-17643064 ]
Elliotte Rusty Harold commented on MSHARED-848:
-----------------------------------------------
commons-io has been upgraded to 2.11 so the CVE is no longer an issue. The underlying issue remains.
> Code Improvement in ReaderFactory to get rid of commons-io dependency
> ---------------------------------------------------------------------
>
> Key: MSHARED-848
> URL: https://issues.apache.org/jira/browse/MSHARED-848
> Project: Maven Shared Components
> Issue Type: Improvement
> Components: maven-shared-utils
> Affects Versions: maven-shared-utils-3.3.3
> Reporter: Karl Heinz Marbaise
> Priority: Minor
>
> Currently the dependency to:
> {code:xml}
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>2.6</version>
> </dependency>
> {code}
> is only needed within the class {{ReaderFactory}} which imports {{org.apache.commons.io.input.XmlStreamReader}}.
> The question: Can that be replaced with something different? In consequence we could get rid of the dependency on {{commons-io}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)