Hello Elvis, We are always reviewing these as well and we do generate similar reports to what you're suggesting. If we confirm anything as warranting urgent action we take it. Otherwise we handle these dependency changes as we can and they come in the normal release process.
These reports generate a mind blowing number of false positives as simply having a dependency in our stack which has a vulnerability doesn't mean we use it in a way that exposes it. Thanks On Thu, Sep 16, 2021 at 1:54 PM Elvis-ch1 <[email protected]> wrote: > > Hi please I'll like to find out when a patch on apache nifi will be > released, the present v1.14.0 seems to have a some highly vulnerable > packages picked up by our security scanners during continuous > monitoring, hence my boss said i should reach out and find out when > there will be a new release,so we can plan an internal timeline. i > noticed v1.14.2 in the pipeline on github. Please let me know thanks >
