Hershel1995 commented on issue #1931: URL: https://github.com/apache/cassandra-gocql-driver/issues/1931#issuecomment-4023678565
Yes, for sure in case of a major update of direct dependencies you need to analyze impacts and understand if they are disruptive (in that case evaluating if a patch release does not fit well). Unfortunately, we cannot directly update the primary dependencies of your gocql library, unless you release a new version with updated dependencies. It could happen that a direct dependencies of gocql is impacted by a CVE, and we would need to have in a certain time interval (more or less long) a new gocql version that includes the new dependency version fixing the security finding. I would like to suggest you to also consider updating direct dependencies before to proceed with an official release, in order to support also a periodic refreshment and avoid security impacts. Anyhow, thanks for the positive discussion and information! I will close the issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
