Status of ESAPI 2.5.0.0 release #723
kwwall
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
So, part way through the release, after following our release steps and pushing the 2.5.0.0 branch to main, I was running the 'mvn deploy' step, which uploads to the Maven Central 'staging area'. However, that step has a step that we built into it that causes it to run OWASP Dependency Check one last time. And it flagged a really old CVE associated with Xerces that we've never seen before. We don't use Xerces directly, but it is a transitive dependency via AntiSamy. However, I am currently trying to get in contact with the AntiSamy dev team to see if I can get them to confirm that it is a false positive (which is what I believe) before proceeding or trying to workaround it.
However, this means that for the moment, there is both a 2.5.0.0 release and corresponding signed tag (esapi-2.5.0.0) that may still need to be updated. :( It also means, in the time being, that our 'main' branch no longer reflects the "latest officially available ESAPI release" for the moment.
Once this gets all straightened out, I will send out another update, but that may not be until tomorrow.
Beta Was this translation helpful? Give feedback.
All reactions