Hi, I was working on a PR after the report, seems like you created one already. I will review this, thanks!
On Sat, 2 May, 2026, 2:23 pm rzo1 (via GitHub), <[email protected]> wrote: > > rzo1 opened a new pull request, #1029: > URL: https://github.com/apache/opennlp/pull/1029 > > Apply a JEP 290 ObjectInputFilter to SvmDoccatModel.deserialize() that > allow-lists only the classes reachable from a legitimate model graph and > bounds graph depth, references, and array length. Foreign payloads are now > rejected with InvalidClassException before readObject() returns, rather > than after the cast. > > Add a public DeserializationLimits record and a > deserialize(InputStream, DeserializationLimits) overload so callers > with unusually large models can raise the resource limits without touching > the class allow-list. The original deserialize(InputStream) signature is > preserved and now delegates to DeserializationLimits.DEFAULT. > > > FYI @subbudvk Please have a look. > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: [email protected] > > For queries about this service, please contact Infrastructure at: > [email protected] > >
