ESAPI excludes transitive dependency xalan from xom, but does not include it itself

Question

ESAPI excludes transitive dependency xalan from xom, but does not include it itself

in-fke opened this issue a year ago · 2 comments

Describe the bug
ESAPI excludes transitive dependency xalan from xom, but does not include it itself
see
https://github.com/ESAPI/esapi-java-legacy/blob/develop/pom.xml#L181C22-L181C73
it states

excluded because we directly import newer versions

Specify what ESAPI version(s) you are experiencing this bug in
2.5.2.0

To Reproduce
run mvn dependency:tree

Expected behavior
Expected to directly depend on xalan:xalan:2.7.3 (no need to exclude it, just explicitly add the dependency to raise the version)

Answer 1 · 2023-08-14T15:45:15.000Z

IIRC, the reason we excluded xalan in the first place was that had a log of unpatched known vulnerabilities and we didn't rely on any functionality in xom that used anything from xalan.

We are currently using xom:xom:1.3.8, but I just updated our pom to 1.3.9, which no longer has a dependency on xalan, so I simply removed that exclusion as well. It will be out in our next release. Thanks.

Answer 2 · 2023-08-14T16:04:06.000Z

Ok, great, that's even better!