Status of ESAPI 2.5.0.0 release

[kwwall]

So, part way through the release, after following our release steps and pushing the 2.5.0.0 branch to main, I was running the 'mvn deploy' step, which uploads to the Maven Central 'staging area'. However, that step has a step that we built into it that causes it to run OWASP Dependency Check one last time. And it flagged a really old CVE associated with Xerces that we've never seen before. We don't use Xerces directly, but it is a transitive dependency via AntiSamy. However, I am currently trying to get in contact with the AntiSamy dev team to see if I can get them to confirm that it is a false positive (which is what I believe) before proceeding or trying to workaround it.

However, this means that for the moment, there is both a 2.5.0.0 release and corresponding signed tag (esapi-2.5.0.0) that may still need to be updated. :( It also means, in the time being, that our 'main' branch no longer reflects the "latest officially available ESAPI release" for the moment.

Once this gets all straightened out, I will send out another update, but that may not be until tomorrow.