Backport XXE fix Dataverse 6.3

45 views
Skip to first unread message

ofuuzo ofuuzo

unread,
Aug 28, 2025, 10:53:11 AM (9 days ago) Aug 28
to Dataverse Users Community
Hei,
I am backporting the XOAI update (#11635) into version 6.3.
In PR #11635, Dataverse updated XOAI to a patched version (with a secure XMLInputFactory).
This change was made in the pom.xml file (Maven dependency).
I want to update the pom.xml file to use the new XOAI version and rebuild Dataverse so that the patched XOAI is included.

However, I am encountering error messages stating that the <repository> declaration is incorrect.
What is the correct configuration? I have tried several alternatives, but none have been successful.

1.
<repositories>
  <repository>
    <id>central</id>
    <url>https://repo1.maven.org/maven2/</url>
    <releases><enabled>true</enabled></releases>
    <snapshots><enabled>false</enabled></snapshots>
  </repository>
</repositories>


2.
<repositories>
    <repository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2/</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
    <repository>
        <id>oss.sonatype.org</id>
        <url>https://oss.sonatype.org/content/repositories/releases/</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>

3.
<repositories>
    <repository>
        <id>unidata-all</id>
        <name>Unidata All Repository</name>
        <url>https://artifacts.unidata.ucar.edu/repository/unidata-all/</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
    </repository>
</repositories>

Regard,
Obi

Philip Durbin

unread,
Sep 2, 2025, 2:06:50 PM (4 days ago) Sep 2
to dataverse...@googlegroups.com
Hi Obi,

None of the above. We re-added the "local_lib" repository in https://github.com/IQSS/dataverse/pull/11011 (temporarily, I'd say). Please take a look at that PR for changes to modules/dataverse-parent/pom.xml that look like this:

<!-- this is TEMPORARY, adding local repository, in order to build with a custom version of xoai -->
<repository>
    <id>dvn.private</id>
    <name>Local repository for hosting jars not available from network repositories.</name>
    <url>file://${project.basedir}/local_lib</url>
</repository>

Once we get all our dependencies back on Maven Central ( https://github.com/IQSS/dataverse/issues/11512 is related) we'll probably get rid of the local_lib repo (again).

I hope this helps!

Phil

--
You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dataverse-commu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dataverse-community/6a98ab5c-0c2b-4c9d-8bae-a24320842325n%40googlegroups.com.


--
Reply all
Reply to author
Forward
0 new messages