The vulnerability in the Search Add-on's depency #4898
Description
The artifact "org.apache.tika:tika-parsers:1.28.5" has many vulnerabilities
They can be seen here
https://mvnrepository.com/artifact/org.apache.tika/tika-parsers/1.28.5
Note that starting with the 2.0.0 version the "tika-parsers" artifact was divided into some modules. So instead of the "tika-parsers" artifact the "tika-parsers-standard-package" and "tika-parsers-extended" should be used. The API of the "2.0.0" version has breaking changes. And this version still has vulnerabilities. So the target version should be the latest version(3.2.3).
But there is another problem. The library "tika-parsers-standard-package" is still very big and it contains a lot of dependencies. It is a very usual situation when a new vulnerability in the library or in one of its dependencies is found.
On the other side, the ability to index file content is required not on each project.
So there is a proposal not only to upgrade the version of the library but to make the parsers engine of the Search add-on have soft link to the library. As a result the Search add-on is able to work "with" or "without" any "tika-parsers" dependency.
The suggesting PR #3683 looks like a solution to the problem if the annotations for conditional bean creation for different parsers will be added.