Celebrate-future opened a new pull request #819: URL: https://github.com/apache/tomee/pull/819
Hi! I found the pom file of project **_org.apache.tomee:tomee-server-version:8.0.11-SNAPSHOT_** introduced **_6_** dependencies. However, among them, **_3_** libraries (**_50%_**) are not used by your project. I list the redundant dependencies below (labelled as red ones in the figure): ## Redundant dependencies org.tomitribe:tomitribe-util:jar:1.2.3:compile org.tomitribe:swizzle:jar:1.0:compile org.apache.commons:commons-compress:jar:1.14:compile --- Removing the redundant dependencies can reduce the size of project and prevent potential dependency conflict issues (i.e., multiple versions of the same library). More importantly, one of the redundant dependencies **_org.apache.commons:commons-compress:jar:1.14:compile_** incorporates a medium-level vulnerability SNYK-JAVA-ORGAPACHECOMMONS-1316639. As such, I suggest a refactoring operation for **_org.apache.tomee:tomee-server-version:8.0.11-SNAPSHOT_**’s pom file. The attached PR helps resolve the reported problem. It is safe to remove the unused libraries (we considered Java reflection relations when analyzing the dependencies). These changes have passed **_org.apache.tomee:tomee-server-version:8.0.11-SNAPSHOT_**’s maven tests. Best regards  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
