Distribution Package appears to provide two competing versions of ehcache

Question

Distribution Package appears to provide two competing versions of ehcache

jf-kisters opened this issue 10 months ago · 2 comments

Holodeckb2b-distribution-6.1.0.zip contains two files

ehcache-2.10.5.jar
ehcache-3.10.8.jar

I am quite certain that the 2.10.5 is outdated and can be safely removed.

Answer 1 · 2024-08-01T13:31:52.000Z

The packages naming is different for these version, so the new version cannot not directly replace the old one if dependend code uses the old names. The 2.10.5 version is included as it is a dependency of the WS-Security library. But since Holodeck B2B does not use the functionality from the security library that includes caching I indeed believe it could be removed. In the upcoming version of HB2B upgrades to a newer version of the WS-Security library and this issue is resolved.

Answer 2 · 2024-08-02T08:56:06.000Z

yeah we tested by removing the library and also did a scan for imports which (afaik) came back negative. We are already operating an installation where we manually deleted that file (due to a CVE being present in 2.10.5)