Hi Jörg On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > Hi Robert, > > makes sense. > > To clarify: We just provide this final version of commons.json as a > convenience for all users who are still depending on commons.json; > but > there is no intention to continue development of commons.json or to > re-introducing this dependency again into other areas of Sling.
There is no intention to use this again in any other modules, add it to the Starter, etc. We will keep the code deprecated. At the same time, we may choose to apply fixes for the reported CVEs, if those are already available upstream, and cut a new release. Thanks, Robert > > Correct? > > Jörg > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > romb...@apache.org>: > > > Hi, > > > > A long time ago we retired the commons.json module for legal > > reasons > > [1], leaving it only in the SVN attic [2]. > > > > After some time a CVE was reported against this module [3] which we > > could not fix as we could not release new versions. > > > > In the meantime, the JSON library we have been using has changed > > its > > license to 'Public domain', which makes it acceptable for use at > > the > > ASF. [4] > > > > I would like to create a GitHub repository for this module and > > include > > the current state from the attic. This opens up the way for > > creating a > > final service release, allowing consumers of this bundle that have > > not > > cleaned up their usages to use non-vulnerable versions. > > > > I will leave this thread open for comments for 72 hours. > > > > Thanks, > > Robert > > > > > > [1]: > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > >
