You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This plugin uses org.codehaus.groovy.modules.http-builder:http-builder which is unmaintained, including its forks. These use net.sourceforge.nekohtml:nekohtml which is likewise and that uses xerces:xercesImpl. This plugin doesn't rely on xerces since it uses json instead of xml, so one can exclude this library safely.
When xerces is on the build environment classpath, then it becomes the javax.xml provider. This is incompatible with Gradle 8.4 which can result in SAXNotRecognizedException during dependency resolution thanks to an unrecognized property.
XML parsing now requires recent parsers
Gradle 8.4 now configures XML parsers with security features enabled. If your build logic has dependencies on old XML parsers that don’t support secure parsing, your build may now fail. If you encounter a failure, check and update or remove any dependency on legacy XML parsers.
The only workaround that I found was to remove the library entirely, which is preferable due to its history of vulnerabilities. A slightly more invasive change is to use an http client that is still supported, or just plain URLConnection.
The text was updated successfully, but these errors were encountered:
This plugin uses
org.codehaus.groovy.modules.http-builder:http-builder
which is unmaintained, including its forks. These usenet.sourceforge.nekohtml:nekohtml
which is likewise and that usesxerces:xercesImpl
. This plugin doesn't rely on xerces since it uses json instead of xml, so one can exclude this library safely.When xerces is on the build environment classpath, then it becomes the
javax.xml
provider. This is incompatible with Gradle 8.4 which can result inSAXNotRecognizedException
during dependency resolution thanks to an unrecognized property.The only workaround that I found was to remove the library entirely, which is preferable due to its history of vulnerabilities. A slightly more invasive change is to use an http client that is still supported, or just plain URLConnection.
The text was updated successfully, but these errors were encountered: