As far as I know, no one is currently working on this and no one has stepped forward to fund this work with either hours or dollars.
On Wed, May 5, 2021 at 5:49 AM Tom VanDeGrift <[email protected]> wrote: > > I have been hunting down old security "vulnerable" versions of struts that > have been showing up in my .m2 directory, which is raising flags from my > Security people. The dependency seems to be coming from an old > doxia-site-renderer. It has been updated to not have a dependency on > struts at all with version 1.9.2. Many of the maven plugins have been > updated and released using this updated version of doxia-site-renderer. > Unfortunately maven-dependency-plugin has not been released with this > update. So it is impossible to fully update to that version of > doxia-site-renderer, as the version from the maven-dependency-plugin 3.1.2 > cannot be updated by specifically overriding the dependency version in > pluginManagement before it pulls down struts (chicken and egg issue). > Looking at the repo on github, there was a tag created for > maven-dependency-plugin 3.1.3 which looks to use the updated > doxia-site-renderer back in Oct. 2020, but it has not been released (or at > least maven central still only has v3.1.2). Is there a plan for releasing > it or a newer version soon? > > Thanks, > Tom -- Elliotte Rusty Harold [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
