Drop jibx-tools dependency to remove transitive log4j 1.x#8
Merged
Merged
Conversation
jibx-tools was only used in Util.plural / Util.singular to derive accessor names for `repeated` fields (addItem / getItemsCount / etc.). It transitively pulled in log4j 1.2.17 (multiple CVEs) and ~10 ancient Eclipse JDT jars. The relevant pluralize/depluralize logic from JiBX NameUtilities is ~40 lines of rule-based suffix manipulation with no irregular-plural handling, so vendor it directly into Util (BSD 3-clause, attribution in comment). Generated output is byte-identical; all 262 existing tests pass unchanged. Add UtilTest covering every branch of plural / singular, including the case-sensitivity quirk in jibx where "ANY" pluralizes to "ANYs".
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
jibx-tools1.3.3 was used only inUtil.plural/Util.singularto derive accessor names forrepeatedfields (addItem,getItemsCount, etc.). It transitively pulled inlog4j1.2.17 (multiple CVEs) and ~10 ancient Eclipse JDT jars.pluralize/depluralizelogic from JiBXNameUtilitiesis ~40 lines of rule-based suffix manipulation with no irregular-plural handling. Vendored it directly intoUtil.java(BSD 3-clause, attribution in comment). Generated output is byte-identical to before.UtilTestcovering every branch ofplural/singular, including a case-sensitivity quirk in the original jibx implementation where"ANY"pluralizes to"ANYs".After this change,
mvn dependency:treeforcode-generatorno longer containslog4j,jibx, ororg.eclipse.*.Test plan
mvn installbuilds clean across all moduleslightproto-testspass unchanged (these exercise plural/singular for every repeated field in the proto fixtures)UtilTest(34 cases) covers every branch ofpluralandsingularmvn -pl code-generator dependency:treeshows nolog4j,jibx, or Eclipse JDT artifacts