[BUG] Dependencies as currently declared bring in JUnit for production classpath

Question

[BUG] Dependencies as currently declared bring in JUnit for production classpath

hakanai opened this issue 2 years ago · comments

Describe the bug
I tried adding jcefmaven to my dependencies and found that I now have junit on the production classpath.

To Reproduce
Steps to reproduce the behavior:

Make a new Gradle project
Add implementation("me.friwi:jcefmaven:105.3.36.1")
Build the project and you will see junit being fetched.

Expected behavior
JUnit should only be on the classpath for running tests.

Environment (please complete the following information):

OS: Windows (but probably irrelevant)
Architecture: amd64 (but probably irrelevant)
Version: 105.3.36.1

Hakanai · Answer 1 · Sun Oct 30 2022 14:16:52 GMT+0800 (China Standard Time)

Seems to be json-simple bringing it in, so basically it looks like you just switch to a normal JSON parser and everything is good? Pulling in random JSON parsers isn't good security anyway.

Friwi · Answer 2 · Mon Oct 31 2022 10:24:42 GMT+0800 (China Standard Time)

json-simple is in no way a random json parser. It is practically the goto standard together with gson.

Friwi · Answer 3 · Mon Oct 31 2022 19:13:49 GMT+0800 (China Standard Time)

@hakanai So I checked and apparently I was wrong. Bringing json-simple on classpath indeed includes an outdated version of junit that is vulnerable to exploits, so I switched over to gson now. It also seems like json-simple really is not a standard json parser anymore.

The change will be included in all builds after 105.3.36.1. Once my PR for JCEF gets accepted I will issue a new version.

Thanks for your feedback, I did not notice so far! :)