You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by GitBox <gi...@apache.org> on 2019/09/21 20:51:53 UTC

[GitHub] [jena] afs commented on issue #609: Clean javadoc

afs commented on issue #609: Clean javadoc
URL: https://github.com/apache/jena/pull/609#issuecomment-533829343
 
 
   Thanks for pointing that out. It's been bumpy for upgrades these last few months.
   
   We have a upstream dependency for Jackson for jsonld-java. I don't think any of Jena code directly uses the Jackson code. Now, Jena and jsonld-java don't actually use the part of databind that has been under attack, but it is easy to upgrade so if jena uses use jackson directly, they get the fixes.
   
   jsonld-java is currently depending on 2.9.9 (core) and 2.9.9.2 (databind). Jena takes control of the exact version because of the releases for CVE's, giving us fine grained control (2.9.9.x) without needing to wait for jsonld-java to release, assuming x.x.x.+1 is fix-only.
   
   In my $job, some customers scan jars and match against the CVE database. I'm sure they aren't the only ones. It is easier to upgrade that explain why the CVE does not affect the code.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services