[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17627638#comment-17627638
]
Nick Burch commented on TIKA-2536:
----------------------------------
We can only depend on versions in maven central, we can't depend on versions
hosted elsewhere
If newer versions have been formally released, ideally the project owners would
upload them to central. If they can't/won't and we can get that confirmed, we
may be able to get them uploaded on their behalf, but it's much better and
easier if the project owners upload themselves! OSSRH is often the best way for
independent maintainers not part of a bigger foundation to get their releases
into central.
If the version currently in maven central will play nicely with a new version
of a dependency, short-term we ought to be able to pull that in and exclude the
old version. If it doesn't play nicely, our only option is to upgrade the whole
lot, which needs to be in central
> Move to later edu.ucar version to avoid EOL dependencies
> --------------------------------------------------------
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
> Affects Versions: 1.16, 1.17
> Environment: All
> Reporter: Richard Jones
> Priority: Major
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
