xvrl commented on code in PR #15522:
URL: https://github.com/apache/druid/pull/15522#discussion_r1424648064
##########
owasp-dependency-check-suppressions.xml:
##########
@@ -330,14 +330,6 @@
<cve>CVE-2022-25647</cve>
</suppress>
- <suppress>
- <!-- pac4j-core-3.8.3 -->
- <notes><![CDATA[
- file name: pac4j-core-3.8.3.jar
Review Comment:
It looks like 5.3.1 was released to "fully fix" that CVE but it's unclear if
4.x is affected.
We can add an exception in the suppressions for it to merge this version,
since this is already a big improvement and upgrades us to a more recent
version.
We can then do a follow-up PR to see if if we can move to 5.x
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
