GitHub user dave2wave added a comment to the discussion: Build distroless package for better security, smaller size, speed and more
About CVEs in a dependency. There can be many types of false positives. 1. The use of the package may already workaround the vulnerability. This happened a lot in projects like POI where XMLBeans was worked around until it was taken out of the Attic and fixed. In the meantime those who did not need Entity Expansion could turn it off. 2. The vulnerable part of the dependency may not be used. GitHub link: https://github.com/apache/pulsar/discussions/20253#discussioncomment-5851867 ---- This is an automatically sent email for commits@pulsar.apache.org. To unsubscribe, please send an email to: commits-unsubscr...@pulsar.apache.org
