On 13/11/2025 18:12, Vladimir Sitnikov wrote:
That would probably be a waste of time since neither json-lib 2.3 nor
ezmorph 1.0.6 use the ClassUtils class affected by the CVE:
See, GitHub nags me about "your dependencies have CVE".
I am sure I am not the only one who still has commons-lang via transitive
dependency. >
I am sure the actual ClassUtil usage is minimal, however, I do not want to
have vulnerable classes on the classpath.
It's not minimal, it's exactly zero in your case. And you don't even use
it in your application since it's just the staging plugin of your build
file.
Frankly, the policy of "not providing a fix for CVE" does not sound right
to me.
Commons Lang 2.6 is 14 years old. Maintaining it indefinitely for free
doesn't sound right to me.
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
