FastJSON is the source of this security issues and the Nacos is a famous project. But security issues is very important problem, and they can’t really resolve it .
So i suggest just remove the Nacos from the release package, keeping the source code in our project. Sheng Wu <wush...@apache.org>于2020年5月20日 周三20:51写道: > Hi dev team > > Especially committer and PMC member, recently, we just upgrade the fastjson > through https://github.com/apache/skywalking/pull/4753. But today, we > received the another report about the security issue again, > https://github.com/apache/skywalking/pull/4804. > The 4804 PR is not correct, but that is not the point. > > The concern I want to mention is that FastJson, imported by Nacos, keeps > reporting security issues. This breaks our stable/security status high > frequently. > > I want to ask, *do we need to consider removing the Nacos + > FastJSON dependency? Due to this library is not in high quality from a > security perspective.* > These two are not required, they are just an implementation of > configuration server and cluster management server. > > I don't request to act now, but I would like to hear, what do you think? > > Sheng Wu 吴晟 > Twitter, wusheng1108 >