[
https://issues.apache.org/jira/browse/SLING-11623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17620125#comment-17620125
]
Robert Munteanu commented on SLING-11623:
-----------------------------------------
[~kwin] - we touch on the "update OSGi dependencies as needed" topic at
https://cwiki.apache.org/confluence/display/SLING/Dependabot . I wrote that
page, but I think it captures the consensus that we have.
We already get "false flag" security reports already, either in Sling or in
downstream distributions which include our bundles. I think we should follow
the implicit policy we have to keep the imports as relaxed as possible. If we
want to change that, let's have a discussion on the dev list and start
implementing it consistently. Doing different things for some
bundles/dependencies will only make things more confusing.
> update commons text
> -------------------
>
> Key: SLING-11623
> URL: https://issues.apache.org/jira/browse/SLING-11623
> Project: Sling
> Issue Type: Improvement
> Components: Commons, Feature Model, Maven Plugins and Archetypes,
> XSS Protection API
> Affects Versions: XSS Protection API 2.3.0, slingfeature-maven-plugin
> 1.6.8, Feature Model Launcher 1.2.0, Rewriter 1.3.4
> Reporter: Joerg Hoh
> Assignee: Joerg Hoh
> Priority: Major
> Fix For: slingfeature-maven-plugin 1.6.10, Feature Model Launcher
> 1.2.2, Rewriter 1.3.6, XSS Protection API 2.3.2
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
