No longer maintained net.sourceforge.nekohtml with known security issues

[vfarek]

Expected Behavior

It would be ideal if we could migrate to the updated fork of the library https://github.com/sparklemotion/nekohtml, which addresses the high-impact DoS vulnerability and has more potential to stay up to date should any more sec advisories be issued.

Current Behavior

spring-security-dependencies define dependency net.sourceforge.nekohtml:nekohtml:1.9.22 which is no longer being maintained (since 2014) and includes several reported vulnerabilities, that are not being looked into as per: https://security.snyk.io/package/maven/net.sourceforge.nekohtml:nekohtml

Context

As part of hardening processes, regular updates and best practices, we are trying to keep our dependencies on the supported and up-to-date versions in our products, but since net.sourceforge.nekohtml:nekohtml is included with spring-security, we cannot directly influence this and hence I have created this enhancement for consideration.

Creating this as an enhancement as the security issues do not lie directly with spring-security and are already disclosed anyway for sourceforge fork of nekohtml.

[marcusdacoregio]

Hi @vfarek, this dependency was being used by the deprecated and now removed spring-security-openid module. Therefore, I'll remove that dependency entirely for the 6.x line. I don't think we want to do any dependency changes in a deprecated module for now, unless it is really needed.