Hi,
I found some very old dependencies being used in netflix-infix project list below,
-
joda-time v2.3 TO v2.13.1 (https://mvnrepository.com/artifact/joda-time/joda-time)
-
antlr-runtime v3.4 to 3.5.3, it has been relocated to org.antlr » antlr4-runtime which is being maintained regularly. This upgrade to latest relocated package also involves not using more old subpackages like commons-jxpath:commons-jxpath:jar:1.3, org.antlr:stringtemplate:jar:3.2.1, also to relocated org.antlr » antlr4
-
org.apache.commons.jxpath is a very old library, full of CVE and unmaintained for 17 years. We should remove deps on jxpath and use JDK standard implementation.
Can we update these packages to a much more stable version
Hi,
I found some very old dependencies being used in netflix-infix project list below,
joda-time v2.3 TO v2.13.1 (https://mvnrepository.com/artifact/joda-time/joda-time)
antlr-runtime v3.4 to 3.5.3, it has been relocated to org.antlr » antlr4-runtime which is being maintained regularly. This upgrade to latest relocated package also involves not using more old subpackages like commons-jxpath:commons-jxpath:jar:1.3, org.antlr:stringtemplate:jar:3.2.1, also to relocated org.antlr » antlr4
org.apache.commons.jxpath is a very old library, full of CVE and unmaintained for 17 years. We should remove deps on jxpath and use JDK standard implementation.
Can we update these packages to a much more stable version