in our new company we have more strict security guidelines w.r.t open source software.
The lucene version that is currently bundled with RDF4J (i.e. lucene 5.x) is EOL, same for solr (and probably elasticsearch). The current stable is 7.3.0 (or 7.3.1).
How are the policies with an upgrade of these 3rd party components? Could this be done in a 2.4.0 release?
I have done an evaluation of the update. Quite a bit of Lucene API replacements required, but looks pretty dsave. The only thing that I could not solve so far is the update of "elasticsearch", which fails in maven with a "bytecode enforce check" on log4j
[INFO] Restricted to JDK 1.8 yet org.apache.logging.log4j:log4j-api:jar:2.9.1:compile contains META-INF/versions/9/org/apache/logging/log4j/util/ProcessIdUtil.class targeted to JDK 1.9