Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies in Maven Artefact #80

Open
thoebert opened this issue Jan 27, 2022 · 1 comment
Open

Dependencies in Maven Artefact #80

thoebert opened this issue Jan 27, 2022 · 1 comment
Labels
enhancement

Comments

@thoebert
Copy link

thoebert commented Jan 27, 2022
edited
Loading

Thank you for your work on PDDL4J!

Today I noticed that the current Maven Artefact of PDDL4J (Maven) is packed with all its compiled dependencies, for example: Log4j, JUnit, etc. This leads to several drawbacks:

  • Runtime exceptions: If one of these libraries is used within the same project, PDDL4J can not be used because of the code-duplication of the same library (with different versions). This leads to exceptions, for example a 'java.lang.NoSuchMethodError' if another version of Log4J is used in the same project.
  • Security Issues: the packed Log4J version is highly unsafe because of the critical vulnerability CVE-2021-44228 a.k.a. log2shell (CVSS severity level 10 out of 10)
  • Bulky dependency: Some of the packed dependencies, e. g. JUnit, are not necessary in the maven artefact and only increase the file size.

I think this can easily be fixed with a small change in the build/publish workflow.
Thank you!
@pellierd
Copy link
Owner

pellierd commented Feb 4, 2022

You 're right.

We will change this in the next release which is in preparation in the devel branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pellierd @thoebert