Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dom4j from 1.6.1 to 2.1.3 #9939

Merged
merged 2 commits into from
Dec 17, 2021
Merged

Upgrade dom4j from 1.6.1 to 2.1.3 #9939

merged 2 commits into from
Dec 17, 2021

Commits on Dec 16, 2021

  1. Ensure FeedEntriesRepresenter also tests example with Manual approval

    @chadlwilson
    chadlwilson committed Dec 16, 2021
    Configuration menu
    Copy the full SHA
    42740f4 View commit details
    Browse the repository at this point in the history

  2. Upgrade dom4j from 1.6.1 to 2.1.3 

    - Fixed compile time generics in test utility
- Fixed incorrect use of Dom4j in FeedEntriesRepresenter which now fails validation

Despite not being flagged on OWASP Dependency Check reports, DOM4J 1.6.1 may be subject to https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000632 - it's not clear that this only affects DOM4J 2.x and folks such as Hibernate upgraded it as a result: https://hibernate.atlassian.net/browse/HHH-12964

Additionally, `1.6.1` is very EOL and un-patched.
* It seems fully compatible at runtime
* Old Hibernate depends on it, but was upgraded in hibernate/hibernate-orm#2533 with no other code changes
* Release notes dont mention any serious breaking changes other than compile time generics https://github.com/dom4j/dom4j/releases/tag/version-2.0.0
    @chadlwilson
    chadlwilson committed Dec 16, 2021
    Configuration menu
    Copy the full SHA
    f32c808 View commit details
    Browse the repository at this point in the history