Since the JDK 7 the commons-vfs library became largely obsolete as the new java.nio package introduce its own file system abstraction. This causes less and less people using commons-vfs, halting its development and making it a burden for anyone who cares about security and depends on Spoofax. Today, commons-vfs already (optionally) depends on other libraries which are known to have vulnerabilities, such as an very old version of commons-net and commons-http. I think it would therefore make sense to completely get rid of commons-vfs and implement its functionality on top of java.nio instead.

Submitted by Korbinian Schmid on 22 February 2017 at 15:59

Log in to post comments