[
https://issues.apache.org/jira/browse/XGC-148?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simon Steiner resolved XGC-148.
-------------------------------
Fix Version/s: main
Resolution: Fixed
https://github.com/apache/xmlgraphics-commons/commit/22e04a9b0a5018081ebebef09b7c8234e8927e75
> Drop commons-io dependency
> --------------------------
>
> Key: XGC-148
> URL: https://issues.apache.org/jira/browse/XGC-148
> Project: XMLGraphicsCommons
> Issue Type: Improvement
> Affects Versions: 2.11
> Reporter: Vladimir Sitnikov
> Assignee: Simon Steiner
> Priority: Major
> Fix For: main
>
>
> Currently, xmlgraphics-commons depends on commons-io (550KiB jar), however
> only a few methods are used there: {{IOUtils.closeQuitely}} and
> {{ByteArrayOutputStream}}.
> There are the following problems:
> 1) 500KiB is an extra dependency
> 2) A single CVE in commons-io might affect all the consumers for
> xmlgraphics-commons
> 3) IOUtils.closeQuitely might be replaced with try-with-resources.
> Could you please drop the dependency?
> I could help with the PR to remove the dependency.
> See:
> * https://github.com/JetBrains/lets-plot/issues/1421
> * https://github.com/JetBrains/lets-plot/issues/1231
> Context: I'm managing Apache JMeter dependencies, and xmlgraphics-commons is
> the only component that requires commons-io
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
