Hi! Our icu4j version has CVEs. It is pulled in via com.salesforce.i18n:i18n-util
*[INFO] +- com.salesforce.i18n:i18n-util:jar:1.0.4:compile[INFO] | +- commons-lang:commons-lang:jar:2.6:compile[INFO] | +- com.ibm.icu:icu4j:jar:60.2:compile[INFO] | +- com.ibm.icu:icu4j-localespi:jar:60.2:compile[INFO] | \- com.ibm.icu:icu4j-charset:jar:60.2:compile* https://github.com/salesforce/i18n-util is marked as archived, and the committer names are not familiar to me. Do you think that it is possible to have a new release with a recent icu4j version ? If not, should we A.) Dependencymanage icu4j (haven't tested if it works yet) B.) Copy the necessary i18n-util code directly to the Phoenix codebase, and drop the dependency (it's small) ? regards Istvan
