[BUG] Dependencies as currently declared bring in JUnit for production classpath
hakanai opened this issue · comments
Describe the bug
I tried adding jcefmaven to my dependencies and found that I now have junit on the production classpath.
To Reproduce
Steps to reproduce the behavior:
- Make a new Gradle project
- Add
implementation("me.friwi:jcefmaven:105.3.36.1")
- Build the project and you will see junit being fetched.
Expected behavior
JUnit should only be on the classpath for running tests.
Environment (please complete the following information):
- OS: Windows (but probably irrelevant)
- Architecture: amd64 (but probably irrelevant)
- Version: 105.3.36.1
Seems to be json-simple
bringing it in, so basically it looks like you just switch to a normal JSON parser and everything is good? Pulling in random JSON parsers isn't good security anyway.
json-simple is in no way a random json parser. It is practically the goto standard together with gson.
@hakanai So I checked and apparently I was wrong. Bringing json-simple on classpath indeed includes an outdated version of junit that is vulnerable to exploits, so I switched over to gson now. It also seems like json-simple really is not a standard json parser anymore.
The change will be included in all builds after 105.3.36.1. Once my PR for JCEF gets accepted I will issue a new version.
Thanks for your feedback, I did not notice so far! :)