On 21/09/2021 09:43, Bruno P. Kinoshita wrote:
I had two repositories with Jena that received dependabot updates this
morning. It even created the PR with the updated dependency :-) good process.
Only had to press one button to merge it.
This is the Security Wombles at GH. Must be triggered by setting the CVE
as "high". I don't recall anything last time at "medium" but that was in
one part of Jena so might not have passed some filter or other.
Andy
https://en.wikipedia.org/wiki/The_Wombles
Thanks
Bruno
On Tuesday, 21 September 2021, 08:00:22 pm NZST, Andy Seaborne
<a...@apache.org> wrote:
FYI:
The GH security dependabot has started doing the rounds. It is flagging
up our security update (CVE-2021-39239 -- XML reading) on GH repos
depending on <= 4.1.0.
It has also flagged up "4.3.0-SNAPSHOT" - it, or maven, always did get a
bit confused by version that aren't x.y.z.
Andy
