dependabot[bot] opened a new pull request, #3175: URL: https://github.com/apache/cxf/pull/3175
Bumps [jaxen:jaxen](https://github.com/jaxen-xpath/jaxen) from 2.0.3 to 2.0.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/jaxen-xpath/jaxen/releases";>jaxen:jaxen's releases</a>.</em></p> <blockquote> <h2>2.0.4</h2> <p>This release fixes one bug in XPath evaluation involving union precedence relative to additive expressions.</p> <p>It also removes all recursion from XPath expression parsing meaning Jaxen can now parse much more complex and longer XPath expression without stack overflowing. This prevents a whole class of DoS attacks when user-supplied XPath expressions are passed into a program (which you probably shouldn't be doing anyway, but it's a big world and I'm sure someone is making that mistake.)</p> <p>Neither of these problems was detected by LLMs or security scanners. I continue to get a slow trickle of misguided reports about loading DTDs or URLs, but so far the automated tools are missing the big stuff. (The static security scanners were never very good in the first place.) Recursion is a vastly overused technique in Java. Unlike some other languages, Java doesn't do tail-call optimization so it's really easy to bust the stack in any recursive method. Less importantly recursive programs are almost always slower than the non-recursive equivalents. XOM is very careful to avoid recursion for these reasons. Jaxen, not so much. It still uses recursion when evaluating XPath expressions, and I'm looking at fixing that in upcoming releases.</p> <p>I've started that in this release by deprecating the <code>simplify</code> method. That method is an internal implementation detail and shouldn't have been public in the first place, but like a lot of Java programs Jaxen uses many more packages than it should. Packages are meant for access control boundaries, not for separating programs into related groups of functionality.</p> <h2>PRs</h2> <ul> <li>Bump org.apache.maven.plugins:maven-project-info-reports-plugin from 3.6.2 to 3.9.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/426";>jaxen-xpath/jaxen#426</a></li> <li>Bump org.apache.maven.plugins:maven-assembly-plugin from 3.7.1 to 3.8.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/425";>jaxen-xpath/jaxen#425</a></li> <li>Bump org.apache.maven.plugins:maven-javadoc-plugin from 3.10.1 to 3.12.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/422";>jaxen-xpath/jaxen#422</a></li> <li>Bump org.apache.maven.plugins:maven-resources-plugin from 3.3.1 to 3.5.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/423";>jaxen-xpath/jaxen#423</a></li> <li>Upgrade XOM to 1.4.2 and fix Java 8 <code>ElementTraversal</code> classpath breakage by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/428";>jaxen-xpath/jaxen#428</a></li> <li>Resolve unresolved Maven site variables and enforce static HTML/CSS-only Pages output by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/430";>jaxen-xpath/jaxen#430</a></li> <li>remove public modifier from interfaces by <a href="https://github.com/hduelme";><code>@hduelme</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/172";>jaxen-xpath/jaxen#172</a></li> <li>don't fully qualify SAXPathException by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/439";>jaxen-xpath/jaxen#439</a></li> <li>Fix unterminated string literal handling and add regression tests at lexer and API levels by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/433";>jaxen-xpath/jaxen#433</a></li> <li>avoid recursion by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/431";>jaxen-xpath/jaxen#431</a></li> <li>remove debugging code by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/446";>jaxen-xpath/jaxen#446</a></li> <li>deprecate simplify by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/445";>jaxen-xpath/jaxen#445</a></li> <li>Inline dead <code>PatternParser.USE_HANDLER</code> branch by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/448";>jaxen-xpath/jaxen#448</a></li> <li>deprecate simplify by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/449";>jaxen-xpath/jaxen#449</a></li> <li>Suppress javac obsolete-options warnings for Java 1.5 target builds by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/453";>jaxen-xpath/jaxen#453</a></li> <li>add 2.0.4 release notes by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/456";>jaxen-xpath/jaxen#456</a></li> <li>Fix XPath union precedence relative to additive expressions by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/460";>jaxen-xpath/jaxen#460</a></li> <li>Remove recursion from union operations by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/455";>jaxen-xpath/jaxen#455</a></li> <li>Avoid recursion when processing and and or by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/461";>jaxen-xpath/jaxen#461</a></li> <li>Prevent parser stack overflow on deeply nested parenthesized filter expressions by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/462";>jaxen-xpath/jaxen#462</a></li> <li>Bump org.apache.maven.plugins:maven-gpg-plugin from 3.2.7 to 3.2.8 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/468";>jaxen-xpath/jaxen#468</a></li> <li>Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.5.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/469";>jaxen-xpath/jaxen#469</a></li> <li>Bump org.apache.maven.plugins:maven-surefire-report-plugin from 3.5.1 to 3.5.5 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/466";>jaxen-xpath/jaxen#466</a></li> <li>Bump com.github.siom79.japicmp:japicmp-maven-plugin from 0.23.1 to 0.26.0 by <a href="https://github.com/dependabot";><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/465";>jaxen-xpath/jaxen#465</a></li> <li>Characterization tests for the pattern package by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/470";>jaxen-xpath/jaxen#470</a></li> <li>Revise Jaxen 2.0.4 change history details by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/472";>jaxen-xpath/jaxen#472</a></li> <li>Update release notes for version 2.0.4 by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/474";>jaxen-xpath/jaxen#474</a></li> <li>Switch release workflow to PR-based handoff for protected <code>master</code> by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/476";>jaxen-xpath/jaxen#476</a></li> <li>Update version number to 2.0.4 in index.xml by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/477";>jaxen-xpath/jaxen#477</a></li> <li>Update index.xml before release by <a href="https://github.com/elharo";><code>@elharo</code></a> in <a href="https://redirect.github.com/jaxen-xpath/jaxen/pull/478";>jaxen-xpath/jaxen#478</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/jaxen-xpath/jaxen/compare/v2.0.3...v2.0.4";>https://github.com/jaxen-xpath/jaxen/compare/v2.0.3...v2.0.4</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/f593b488e1077d8266bd9244b9dd79fd6bd6987f";><code>f593b48</code></a> Release 2.0.4</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/522d0853ca1a64b86d0c6607cef81b9c7ed5fe71";><code>522d085</code></a> Update index.xml before release (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/478";>#478</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/94bf85f248e57cdf177c34960d82e0085078979c";><code>94bf85f</code></a> Update version number to 2.0.4 in index.xml (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/477";>#477</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/81589cc47f66531416b177097e7d70b458fcb47d";><code>81589cc</code></a> Switch release workflow to PR-based handoff for protected <code>master</code> (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/476";>#476</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/6a24e880f29d32fdd2de3e202f50dd4abfebe06a";><code>6a24e88</code></a> Update release notes for version 2.0.4 (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/474";>#474</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/2c71f01508803affc1caaa8def76557158a81141";><code>2c71f01</code></a> Revise Jaxen 2.0.4 change history details (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/472";>#472</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/5d4a6af46e27f4c47848ebf3d1ebd8e4fc553223";><code>5d4a6af</code></a> Characterization tests for the pattern package (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/470";>#470</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/37f6c3b2b2d202eb51ee62e2e75bd2d2f96096b2";><code>37f6c3b</code></a> Bump com.github.siom79.japicmp:japicmp-maven-plugin (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/465";>#465</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/36a8cd0ba6f0d6f4ca068cb2df33331a5cb23cc8";><code>36a8cd0</code></a> Bump org.apache.maven.plugins:maven-surefire-report-plugin (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/466";>#466</a>)</li> <li><a href="https://github.com/jaxen-xpath/jaxen/commit/c70ca5b2857383d1a07e53173b8265168f490a00";><code>c70ca5b</code></a> Bump org.apache.maven.plugins:maven-jar-plugin from 3.3.0 to 3.5.0 (<a href="https://redirect.github.com/jaxen-xpath/jaxen/issues/469";>#469</a>)</li> <li>Additional commits viewable in <a href="https://github.com/jaxen-xpath/jaxen/compare/v2.0.3...v2.0.4";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
