Hi,
in light of https://issues.apache.org/jira/browse/SLING-11623 I think
its worth to have a hopefully brief discussion about our dependency
update policy.
https://cwiki.apache.org/confluence/display/SLING/Dependabot captures
what we said in the past and I think this is a good guideline, keeping
the dependency at the lowest required.
However :) with security issues in dependencies like the above, we leave
all the responsibility on our users. Clearly, we don't want any of our
users to run with known security issues, so if we update our
dependencies to versions without known issues, we help our customers as
they have to update the dependencies as well. It makes the world a
little bit safer and avoids all these continuous scanning reports.
I'm currently torn between the two, slightly prefering to update
dependencies in case of security issues.
Regards
Carsten
--
Carsten Ziegeler
Adobe
cziege...@apache.org
