raboof commented on PR #4401: URL: https://github.com/apache/fineract/pull/4401#issuecomment-2700259145
> First, reminder to immediately email any security findings to `security` at `fineract.apache.org`. Thanks for highlighting this! To elaborate further, security findings should always be kept private until the release with the fix is out. Luckily, in this case there's no problem: because more often than not an advisory in a dependency does not actually impact the project (because the dependency is not used in a vulnerable way), we don't consider the output of scanning tools such as Docker Scout / Snyk as sensitive in themselves. You can read more about this at https://security.apache.org/report-dependency/ . Of course, upgrading those dependencies to remove the risk (and make the scanners happy) is still a good idea, also from a security perspective - so thanks for working on this! > I think we should still proceed with the v1.11.0 release and upgrade dependencies (and fix tests) on develop. I'm not certain this is the best path; we may end up having to ship a v1.11.1 hotfix / patch release depending on what we find. (this makes sense to me but of course is up to you as a project) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
