| Re: [cross-project-issues-dev] Fwd: [eclipse-platform/eclipse.platform.releng.aggregator] New Dependency Chain rcp -> batik -> xmlgraphics -> commons.logging (Issue #651) |
On Fri, Nov 4, 2022 at 10:38 AM Pierre-Charles David <pierre-charles.david@xxxxxxx> wrote:
Le 29/10/2022 à 10:33, Ed Merks a écrit :
FYI, The platform and Orbit have moved to Batik version 1.16.0 to fix some CVEs so please (Graphiti, GMF, Papyrus, and Sirius) update to this new version for M3.
I'm working on it for GMF Runtime and Sirius, but noticed that there has been some recent security-related fixes post-1.16.0 (see https://github.com/apache/xmlgraphics-batik/commits/trunk). We should probably expect a Batik 1.17 in the near future.
Thanks for the heads up. If/when 1.17 comes I would really welcome someone to step up and do the bump in Orbit.
No sign of Batik 1.17 for the moment.
I have release candidates versions of GMF Runtime (1.15.3) and
Sirius (7.0.6) ready for inclusion
(https://git.eclipse.org/r/c/simrel/org.eclipse.simrel.build/+/196896),
but they can not merge them yet as it break Papyrus:
Missing requirement: Papyrus GMF Diagrams Support 4.3.0.202210051746 (org.eclipse.papyrus.infra.gmfdiag.common 4.3.0.202210051746) requires 'osgi.bundle; org.apache.batik.dom [1.14.0,1.15.0)' but it could not be foundI've notified the Papyrus mailing list.
Pierre-Charles David (Obeo)