Comment From: mnk
Please consider backporting this to the 3.3 branch to fix security issue flagged by Snyk: https://security.snyk.io/vuln/SNYK-JAVA-ORGXMLUNIT-6751676
Comment From: bclozel
Thanks for the heads up. I don't think we should make an exception to our upgrade policy. Fortunately, the CVE is most likely not exploitable in Spring Boot applications (because they're not using this library against untrusted sources), it seems easy enough to upgrade locally or even set the TransformerFactoryConfigurer.withSafeAttribute("jdk.xml.enableExtensionFunctions", "false") property yourself in a <2.10 version.