2.0.4

This release fixes one bug in XPath evaluation involving union precedence relative to additive expressions.

It also removes all recursion from XPath expression parsing meaning Jaxen can now parse much more complex and longer XPath expression without stack overflowing. This prevents a whole class of DoS attacks when user-supplied XPath expressions are passed into a program (which you probably shouldn't be doing anyway, but it's a big world and I'm sure someone is making that mistake.)

Neither of these problems was detected by LLMs or security scanners. I continue to get a slow trickle of misguided reports about loading DTDs or URLs, but so far the automated tools are missing the big stuff. (The static security scanners were never very good in the first place.) Recursion is a vastly overused technique in Java. Unlike some other languages, Java doesn't do tail-call optimization so it's really easy to bust the stack in any recursive method. Less importantly recursive programs are almost always slower than the non-recursive equivalents. XOM is very careful to avoid recursion for these reasons. Jaxen, not so much. It still uses recursion when evaluating XPath expressions, and I'm looking at fixing that in upcoming releases.

I've started that in this release by deprecating the simplify method. That method is an internal implementation detail and shouldn't have been public in the first place, but like a lot of Java programs Jaxen uses many more packages than it should. Packages are meant for access control boundaries, not for separating programs into related groups of functionality.

PRs

• Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.6.2 to 3.9.0 by @dependabot[bot] in #426
• Bump org.apache.maven.plugins:maven-assembly-plugin from 3.7.1 to 3.8.0 by @dependabot[bot] in #425
• Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.12.0 by @dependabot[bot] in #422
• Bump org.apache.maven.plugins:maven-resources-plugin from 3.3.1 to 3.5.0 by @dependabot[bot] in #423
• Upgrade XOM to 1.4.2 and fix Java 8 ElementTraversal classpath breakage by @Copilot in #428
• Resolve unresolved Maven site variables and enforce static HTML/CSS-only Pages output by @Copilot in #430
• remove public modifier from interfaces by @hduelme in #172
• don't fully qualify SAXPathException by @elharo in #439
• Fix unterminated string literal handling and add regression tests at lexer and API levels by @Copilot in #433
• avoid recursion by @elharo in #431
• remove debugging code by @elharo in #446
• deprecate simplify by @elharo in #445
• Inline dead PatternParser.USE_HANDLER branch by @Copilot in #448
• deprecate simplify by @elharo in #449
• Suppress javac obsolete-options warnings for Java 1.5 target builds by @Copilot in #453
• add 2.0.4 release notes by @elharo in #456
• Fix XPath union precedence relative to additive expressions by @Copilot in #460
• Remove recursion from union operations by @elharo in #455
• Avoid recursion when processing and and or by @elharo in #461
• Prevent parser stack overflow on deeply nested parenthesized filter expressions by @Copilot in #462
• Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.7 to 3.2.8 by @dependabot[bot] in #468
• Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.5.0 by @dependabot[bot] in #469
• Bump org.apache.maven.plugins:maven-surefire-report-plugin from 3.5.1 to 3.5.5 by @dependabot[bot] in #466
• Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.23.1 to 0.26.0 by @dependabot[bot] in #465
• Characterization tests for the pattern package by @elharo in #470
• Revise Jaxen 2.0.4 change history details by @elharo in #472
• Update release notes for version 2.0.4 by @elharo in #474
• Switch release workflow to PR-based handoff for protected master by @Copilot in #476
• Update version number to 2.0.4 in index.xml by @elharo in #477
• Update index.xml before release by @elharo in #478

Full Changelog: v2.0.3...v2.0.4