Thanks for bringing this up Joey. Looking into this it’s already on Twitter4J’s radar and there’s an open pull-request.
https://github.com/yusuke/twitter4j/pull/215 Provided they resolve and release again in the near future, the only action we’ll need to take is to upgrade. Any ideas on ways to scan all of our direct dependencies for usage of org.json:json? On November 14, 2016 at 6:04:53 PM, Joey Frazee (joey.fra...@icloud.com) wrote: The ASF recently reclassified the JSON license for org.json as category-x because of its "shall be used for Good, not Evil" clause [1]. There does not appear to be any direct usage of it in Streams but there are a number of dependencies in Streams that do depend on org.json, most notably Twitter4j, and it does appear in the poms. Looking forward to the next release it probably makes sense to verify where it's being pulled in and find an alternative. There seem to be 3 approaches people are taking: - Pull relevant code into the project and replace the JSON.org code with a compatible alternative - Cease distributing offending modules as part of the Apache release - Replace dependencies with alternatives that do not depend on org.json. To my knowledge releases aren't currently getting -1 because of this, but it's probably coming and prudent to address it anyway. I think in the case of Twitter4j at least, we can likely pull the code into the project, replace the org.json dep and begin working towards our own implementation. -joey 1. http://www.apache.org/legal/resolved#json
