Heads up that Jenkins (as of plugin parent 4.83, and at least workflow-cps is still on 4.80) still uses Groovy 2.4.21. The CPS plugin is a drastic ASTT, and it's core to modern Jenkins pipelines.
On Thu, Jun 27, 2024 at 9:09 PM Paul King <pa...@asert.com.au> wrote: > Hi folks, > > Groovy 2.4.x hasn't been something we have progressed for some time. > The last "real" commit to the GROOVY_2_4_X branch and the last release > (2.4.21) were both in Dec 2020. > > For reference, 2.4.x supports back to JDK 1.6 while 2.5.x (which is > not part of this discussion) supports back to JDK 1.7: > https://groovy.apache.org/download.html#requirements > > On the recommended page for GitHub security policy: > https://github.com/apache/groovy/security/policy > > We state: > 2.4.x Only severe/critical vulnerabilities (*) > (*) The 2.4.x stream is no longer the focus of the core team but > critical security fixes or community contributions may lead to > additional releases. > > I propose to make the EOL official. I don't think the "weak support" > will be good enough once CRA regulations come into play. My > understanding from the CRA requirements is that we either intend to > provide timely fixes for vulnerabilities for any supported version, or > we should mark versions as EOL. This doesn't stop us from making an > emergency fix/release if we chose, it just indicates that shouldn't be > the expectation. > > If anyone objects, please discuss here, otherwise I will create a VOTE > thread in a few days. > > Paul. > > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > > Virus-free.www.avast.com > < > https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail > > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > -- Christopher Smith
