[
https://issues.apache.org/jira/browse/XGC-148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035818#comment-18035818
]
Vladimir Sitnikov commented on XGC-148:
---------------------------------------
I went ahead and implemented the change. Reviews are welcome:
https://github.com/apache/xmlgraphics-commons/pull/32
> Drop commons-io dependency
> --------------------------
>
> Key: XGC-148
> URL: https://issues.apache.org/jira/browse/XGC-148
> Project: XMLGraphicsCommons
> Issue Type: Improvement
> Affects Versions: 2.11
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> Currently, xmlgraphics-commons depends on commons-io (550KiB jar), however
> only a few methods are used there: {{IOUtils.closeQuitely}} and
> {{ByteArrayOutputStream}}.
> There are the following problems:
> 1) 500KiB is an extra dependency
> 2) A single CVE in commons-io might affect all the consumers for
> xmlgraphics-commons
> 3) IOUtils.closeQuitely might be replaced with try-with-resources.
> Could you please drop the dependency?
> I could help with the PR to remove the dependency.
> See:
> * https://github.com/JetBrains/lets-plot/issues/1421
> * https://github.com/JetBrains/lets-plot/issues/1231
> Context: I'm managing Apache JMeter dependencies, and xmlgraphics-commons is
> the only component that requires commons-io
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
