Old Dependencies and vulnerabilities

[brunoorsolon]

I have noticed that over the years, the number of vulnerabilities due to old dependencies in this module is piling up.
https://mvnrepository.com/artifact/com.github.java-json-tools/jackson-coreutils/2.0

The repository seems abandoned, but did anyone bother to try to update the dependencies or just move on and use something else?

[lukeu]

Maintenence appears to have moved to: https://github.com/java-json-tools/jackson-coreutils

I'm not sure why searching github insists on pointing only to this original repo - nor does it give links to the 31 forks that have apparently been made! 🫤

The level of voluntary maintenence is still low, and on the flip-side, keeping old dependencies does maximise compatibility. (At time of writing it looks like the lib still supports Java 7!) So I would say to just specify (minimal) versions of its few transient deps in your build logic.