Skip to content

Upgrade to XmlUnit2 2.10.0 #41429

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wilkinsona opened this issue Jul 9, 2024 · 2 comments
Closed

Upgrade to XmlUnit2 2.10.0 #41429

wilkinsona opened this issue Jul 9, 2024 · 2 comments
Labels
type: dependency-upgrade A dependency upgrade
Milestone
3.4.0-M1

Comments

@wilkinsona
Copy link
Member

No description provided.

@wilkinsona wilkinsona added the type: dependency-upgrade A dependency upgrade label Jul 9, 2024
@wilkinsona wilkinsona added this to the 3.4.0-M1 milestone Jul 9, 2024
@mnk
Copy link

mnk commented Aug 19, 2024

Please consider backporting this to the 3.3 branch to fix security issue flagged by Snyk: https://security.snyk.io/vuln/SNYK-JAVA-ORGXMLUNIT-6751676

@bclozel
Copy link
Member

bclozel commented Aug 19, 2024

Thanks for the heads up. I don't think we should make an exception to our upgrade policy. Fortunately, the CVE is most likely not exploitable in Spring Boot applications (because they're not using this library against untrusted sources), it seems easy enough to upgrade locally or even set the TransformerFactoryConfigurer.withSafeAttribute("jdk.xml.enableExtensionFunctions", "false") property yourself in a <2.10 version.

@snicoll snicoll mentioned this issue Sep 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
3.4.0-M1
Development

No branches or pull requests
3 participants
@mnk @bclozel @wilkinsona