joao-r-reis commented on issue #1931: URL: https://github.com/apache/cassandra-gocql-driver/issues/1931#issuecomment-4024897305
> Unfortunately, we cannot directly update the primary dependencies of your gocql library, unless you release a new version with updated dependencies. It could happen that a direct dependencies of gocql is impacted by a CVE, and we would need to have in a certain time interval (more or less long) a new gocql version that includes the new dependency version fixing the security finding. You can't choose the dependencies that gocql brings into your application but you can override the version. If you install those dependencies directly on your application those versions "override" the ones coming in from gocql. It's possible that the security scan will still fail depending on what kind of tool you are using but in practice the application developer has the final say over which version of the dependency will be used in that application binary. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
