security upgrade: the core project j2html had an insecure dependency …

[koaben]

security upgrade: the core project j2html had an insecure dependency (a very old apache velocity).

also added an GETTING_STARTED.md document, so it is easier getting started with this project.

[koaben]

can I help you maintaining this open source project? Last update seems in 2022, so the development seems inactive. If possible I would like to become a maintainer of this project.

[tipsy]

can I help you maintaining this open source project? Last update seems in 2022, so the development seems inactive. If possible I would like to become a maintainer of this project.

@koaben I would be happy for more maintainers to join. I stopped maintaining this a long time ago and onboarded @sembler, but I don't think he would mind the company (?)

[sembler]

I wouldn't mind at all. In fact life has steadily grown more busy for me and I'm severely limited in what I can contribute. Having another maintainer will give this project a better chance to survive.

[koaben]

ok. ;-). Let's help this project ;-) and make it a fun project for everyone ;-).

QUESTION: Should we still support Java8 (the build fails because of Javalin 6.1.3 does not build with Java8)? Because the current old Javalin 4.0.0 has some insecure dependencies and the newest Javalin 6.1.3 does not support Java8.

POSSIBLE SOLUTION: Perhaps if we split the j2html-website sub-project into a separate git-repository, then this main project can still support Java8. But why support Java8? Better to focus on Java21+ than on Java8?

[koaben]

Good day @tipsy and @sembler, an update: I have updated the github workflow so the project now builds for Java21, Java17 and Java11 (and the failing Java8 is removed, no longer maintainable with the new dependencies).

2 Questions:

1. is this pull request ready for merge according to you? (this PR removes security issues of the core project)
2. when can I start helping maintaining this project? ;-)

[tipsy]

when can I start helping maintaining this project? ;-)

Let me configure the appropriate access this weekend. Ping me if I forget !

[koaben]

Ok. Thanks @tipsy (and @sembler)! A first clear goal is to publish a new release of j2html on https://mvnrepository.com/artifact/com.j2html/j2html (the next version will be without security issues in dependencies, so no troubles anymore with CVE-2020-13936). This will allow more people to use j2html ;-).

Question: I have never done this before, can you sketch the main steps I should execute for this goal for j2html? It would really be appreciated ;-)

[koaben]

when can I start helping maintaining this project? ;-)

Let me configure the appropriate access this weekend. Ping me if I forget !

Ping ;-)

[tipsy]

Ok. Thanks @tipsy (and @sembler)! A first clear goal is to publish a new release of j2html on https://mvnrepository.com/artifact/com.j2html/j2html (the next version will be without security issues in dependencies, so no troubles anymore with CVE-2020-13936). This will allow more people to use j2html ;-).

The security issue is in a test dependency, so not something that is included in the current release :)

Question: I have never done this before, can you sketch the main steps I should execute for this goal for j2html? It would really be appreciated ;-)

I am still the only one who can release, as long as I keep the repo on my GitHub user I want it do stay like that.

Good day @tipsy and @sembler, an update: I have updated the github workflow so the project now builds for Java21, Java17 and Java11 (and the failing Java8 is removed, no longer maintainable with the new dependencies).

I don't think this is necessarily the right approach, j2html doesn't actually have any dependencies as far as I can remember. The dependencies are all in the supporting modules or using the test scope.