kwin commented on code in PR #2:
URL:
https://github.com/apache/sling-org-apache-sling-jcr-webdav/pull/2#discussion_r871359889
##########
pom.xml:
##########
@@ -40,46 +39,28 @@
<connection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-webdav.git</connection>
<developerConnection>scm:git:https://gitbox.apache.org/repos/asf/sling-org-apache-sling-jcr-webdav.git</developerConnection>
<url>https://gitbox.apache.org/repos/asf?p=sling-org-apache-sling-jcr-webdav.git</url>
+ <tag>HEAD</tag>
</scm>
<properties>
- <jackrabbit.version>2.14.2</jackrabbit.version>
+ <sling.java.version>8</sling.java.version>
+ <project.build.outputTimestamp>1</project.build.outputTimestamp>
+ <jackrabbit.version>2.14.3</jackrabbit.version>
Review Comment:
IMHO that doesn’t matter as long as we don’t embed the vulnerable
dependency. Sling in general recommends using the latest/greatest but does not
force to (that is obligation of Jackrabbit). We only depend on the oldest
dependency providing the necessary/used API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
