hpvd commented on issue #8815: URL: https://github.com/apache/pulsar/issues/8815#issuecomment-1027860622
With this high number of dependencies of all kinds and different ages the main question that is bothering me: => Is it enough (or a least the best thing we could do at this time) if only the dependencies with already well known/reported security issues are updated? like addressed: https://github.com/apache/pulsar/pull/13972 -> Or is there a big risk of sacrificing security, performance and bug-freeness we didn't see yet (see goal of this issue https://github.com/apache/pulsar/issues/8815#issue-756101012) resulting from some of the other dependencies (with no reported security risks) for which there are also already updates available (sometimes for a long time)? How can we be sure that every dependency, introduced several years ago, is still in use / needed? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
