Skip to content

Upgrade Dependencies and Refactor POMs#482

Open
amirkaveh wants to merge 14 commits intosannies:masterfrom
amirkaveh:master
Open

Upgrade Dependencies and Refactor POMs#482
amirkaveh wants to merge 14 commits intosannies:masterfrom
amirkaveh:master

Conversation

@amirkaveh
Copy link

@amirkaveh amirkaveh commented Dec 31, 2025

Maven POM Modernization and Security Fixes

Background

While attempting to use org.mp4parser:isoparser:1.9.56 as a dependency, security scanners flagged multiple vulnerabilities in its transitive dependencies. This PR addresses those vulnerabilities and modernizes the build configuration.

Security Vulnerabilities Addressed

CVE Severity Library Description Fix
CVE-2021-29425 Medium (5.3) commons-io < 2.7 Path traversal via FileNameUtils.normalize() Upgraded to 2.21.0
CVE-2024-47554 Medium (5.3) commons-io < 2.14.0 DoS via XmlStreamReader CPU exhaustion Upgraded to 2.21.0
CVE-2020-15250 Medium (5.5) junit < 4.13.1 Information disclosure via TemporaryFolder Migrated to JUnit 5.14.1

Dependency Upgrades

Dependency Before After
JUnit 4.12 5.14.1 (migrated all tests)
Commons IO 2.5 2.21.0
Commons Codec 1.10 1.20.0
SLF4J 1.8.0-beta4 2.0.17
AspectJ 1.9.7 1.9.7 (unchanged)

Plugin Upgrades

Plugin Before After
maven-source-plugin 3.0.1 3.3.1
maven-javadoc-plugin 3.1.1 / 3.4.0 3.12.0
maven-gpg-plugin 1.5 / 1.6 3.2.8
maven-resources-plugin 3.1.0 3.3.1
maven-compiler-plugin 3.8.1 3.14.1
maven-release-plugin 3.0.0-M5 3.1.1
maven-dependency-plugin 3.3.0 3.8.1
aspectj-maven-plugin 1.14.0 1.15.0
nexus-staging-maven-plugin 1.6.13 1.7.0

Structural Improvements

Centralized Dependency Management

  • Added <dependencyManagement> in parent POM for all shared dependencies
  • Introduced junit-bom for consistent JUnit version management
  • Child POMs now inherit versions from parent (removed all hardcoded versions)
  • Fixed inter-module dependencies to use ${project.version} instead of hardcoded 1.9.57-SNAPSHOT

Centralized Plugin Management

  • Created version properties for all dependencies and plugins
  • Removed duplicate plugin declarations (maven-source-plugin, maven-javadoc-plugin were declared twice)
  • Consolidated inconsistent plugin versions (maven-gpg-plugin had 1.5 and 1.6)

Fixed AspectJ Configuration

  • Changed complianceLevel/source/target from 9 to 1.8 (was inconsistent with Java 8 target)
  • Fixed typo in module-path: slf4-api.jarslf4j-api.jar

Cleanup

  • Removed deprecated <prerequisites> tag
  • Removed duplicate metadata from child POMs (<licenses>, <developers>, <scm>, <url>, <groupId>, <properties>)
  • Removed duplicate release-sign-artifacts profile from streaming module
  • Updated stale SCM tag: mp4parser-project-1.9.43HEAD

Results

  • ✅ All 169 tests passing
  • ✅ Single source of truth for all versions
  • ✅ Java 8 compatibility maintained

Not Addressed

Warning

nexus-staging-maven-plugin still references OSSRH (https://oss.sonatype.org/) which shut down June 2025. A separate migration to central-publishing-maven-plugin is required for Maven Central publishing.

@amirkaveh
update gitignore to ignore .mp4 files generated in tests
fc66d2c
@amirkaveh
fix compilation errors on java 8
85b713c 
change pom configs so that project can be compiled with java 8
@amirkaveh
upgrade commons-io
0f9348d 
upgrade commons-io from 2.5 to 2.21.0 due to multiple vulnerabilities
@amirkaveh
upgrade JUnit
af1966c 
upgrade JUnit from 4.12 to 5.14.1 due to multiple vulnerabilities
@amirkaveh
remove duplicate plugins from POMs
a1ccf76
@amirkaveh
upgrade dependencies (slf4j and commons-codec)
a64327c 
upgrade slf4j-api from 1.8.0-beta4 to 2.0.17
upgrade slf4j-simple from 1.8.0-beta4 to 2.0.17
upgrade commons-codec from 1.10 to 1.20.0
@amirkaveh
upgrade maven plugins
71edcd2 
upgrade maven-compiler-plugin from 3.8.1 to 3.14.1
upgrade maven-source-plugin from 3.0.1 to 3.3.1
upgrade maven-javadoc-plugin from 3.4.0 to 3.12.0
upgrade maven-gpg-plugin from 1.6 to 3.2.8
upgrade maven-resources-plugin from 3.1.0 to 3.3.1
upgrade maven-release-plugin from 3.0.0-M5 to 3.1.1
upgrade maven-dependency-plugin from 3.3.0 to 3.8.1
upgrade nexus-staging-maven-plugin from 1.6.13 to 1.7.0
@amirkaveh
fix typo in AspectJ configuration
b5740ea
@amirkaveh
upgrade aspectj-maven-plugin
9354c17 
upgrade aspectj-maven-plugin from 1.14.0 to 1.15.0
@amirkaveh
remove hardcoded intermodule versions
1d45f3c
@amirkaveh
centralize slf4j dependency versions
9688ad6
@amirkaveh
remove groupId from child POMs
57285d1
@amirkaveh
remove version from child POMs
7bc2ff9
@amirkaveh
refactor POMs: centralize dependency and plugin management in parent POM
7168699 
Parent POM changes:
- Remove deprecated <prerequisites> tag
- Add version properties for all dependencies and plugins
- Add to dependencyManagement: aspectjrt, aspectjtools, commons-io, commons-codec
- Add to pluginManagement: maven-dependency-plugin, aspectj-maven-plugin
- Update SCM tag from 'mp4parser-project-1.9.43' to 'HEAD'

Child POM changes:
- Remove redundant elements inherited from parent:
  - <groupId>, <url>, <properties>, <licenses>, <developers>, <scm>
- Remove hardcoded dependency versions (now managed by parent)
- Remove hardcoded plugin versions (now managed by parent)
- Remove duplicate 'release-sign-artifacts' profile from streaming
- Remove <defaultGoal> from isoparser (inherited from parent)
@sannies
Copy link
Owner

sannies commented Jan 22, 2026

Hi,
thank you for your PR but the project is dead from my point of view. I'm not going to accept any PR or release new versions (unless paid work). I hope that doesn't come as a surprise as there was no single PR merge in the past 4 years.
Feel free to fork and release your own versions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amirkaveh @sannies