tschroeder-zendesk commented on PR #59073: URL: https://github.com/apache/airflow/pull/59073#issuecomment-3634772421
> > If you think otherwise, I suggest you contact our security team at [[email protected]](mailto:[email protected]) with a report. > > Including POC @tschroeder-zendesk > > Also @tschroeder-zendesk -> if you look at Security tab of our documentation, you will find SBOM - which is machine-readable, industry standard way how you can check which 3rd-party dependencies Airflow uses. Please use it next time when you want to see if particular component that you know is vulnerable. That will save a lot of time of maintainers that have to individually answer ssuch questions rather than users reading informatoin that is provided by maintainers so that they can use it. > > When you are getting software for free, I think good idea is not to demand more time from maintainers than needed - especially if they provide you all information you need (for free mind you) No need to be rude. I just asked if this addressed that as it seemed like it would since that CVE mentioned needing to bump react to 19.2.1 and react-dom 19.2.1 that seemed to be addressed here and after looking at the code it wasn't clear to me if this security issue was a problem. The version is definitely one of the affected so I don't think it was an unreasonable question. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
