I want to add another aspect to this discussion. In many of out integration tests we use the versions of additional bundles to deploy into the IT from the pom. That means that in all of these ITs we deliberately test against old(er) versions of our bundles (except the test subject, of course); that might be a combination of bundle many consumers won't use anymore, and which leaves some gaps in test coverage for new features.
Am Mi., 19. Okt. 2022 um 17:28 Uhr schrieb Carsten Ziegeler < cziege...@apache.org>: > Hi, > > in light of https://issues.apache.org/jira/browse/SLING-11623 I think > its worth to have a hopefully brief discussion about our dependency > update policy. > > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures > what we said in the past and I think this is a good guideline, keeping > the dependency at the lowest required. > > However :) with security issues in dependencies like the above, we leave > all the responsibility on our users. Clearly, we don't want any of our > users to run with known security issues, so if we update our > dependencies to versions without known issues, we help our customers as > they have to update the dependencies as well. It makes the world a > little bit safer and avoids all these continuous scanning reports. > > I'm currently torn between the two, slightly prefering to update > dependencies in case of security issues. > > Regards > Carsten > -- > Carsten Ziegeler > Adobe > cziege...@apache.org > -- Cheers, Jörg Hoh, https://cqdump.joerghoh.de Twitter: @joerghoh
