I would also like to reiterate that if what you depend on is using proper semantic package versioning and the version numbers you depend on have not changed, then there would be no harm in updating the minimum version in your pom to the newer one. The output in your manifest would be identical.
How would you feel about some new tooling that is similar to the bnd-baseline-maven-plugin that would compare the Import-Package entries to check if any of the imported package ranges has changed since the last released version? If the minimum version of some imported package is now larger, then perhaps it should require a bump to the minor segment of the bundle version number and fail the build until that happens? That should make the dependabot pull requests that trigger that scenario fail to build without manual intervention. Then the dependabot pull requests that don't trigger that scenario could be approved and merged. Regards, Eric On Wed, Oct 19, 2022 at 10:56 AM Eric Norman <enor...@apache.org> wrote: > I would generally prefer that no dependencies have known security issues. > Basically, my position on this is the same as it was ~3 years ago from the > thread at [1]. > > Also, I'd agree with what was reported at [2] that it doesn't make sense > to depend on versions that have been declared as EOL when there is a newer > alternative that is still maintained. > > 1. https://lists.apache.org/thread/jhj626gn9xzng3bdxkmyx6ozyvcg7rlq > 2. https://issues.apache.org/jira/browse/SLING-11621 > > Regards, > Eric > > On Wed, Oct 19, 2022 at 8:28 AM Carsten Ziegeler <cziege...@apache.org> > wrote: > >> Hi, >> >> in light of https://issues.apache.org/jira/browse/SLING-11623 I think >> its worth to have a hopefully brief discussion about our dependency >> update policy. >> >> https://cwiki.apache.org/confluence/display/SLING/Dependabot captures >> what we said in the past and I think this is a good guideline, keeping >> the dependency at the lowest required. >> >> However :) with security issues in dependencies like the above, we leave >> all the responsibility on our users. Clearly, we don't want any of our >> users to run with known security issues, so if we update our >> dependencies to versions without known issues, we help our customers as >> they have to update the dependencies as well. It makes the world a >> little bit safer and avoids all these continuous scanning reports. >> >> I'm currently torn between the two, slightly prefering to update >> dependencies in case of security issues. >> >> Regards >> Carsten >> -- >> Carsten Ziegeler >> Adobe >> cziege...@apache.org >> >
