It seems we all agree that we don't want our users to run vulnerable
dependencies. Yet, we do not agree to support our users in that respect.
Imho, there is no point to guarantee that a Sling module still runs with
an old, insecure version of a dependency. However, we make it the
default to allow this.
I guess we can close this discussion as we are not moving anywhere.
Thanks
Carsten
Am 19.10.2022 um 17:28 schrieb Carsten Ziegeler:
Hi,
in light of https://issues.apache.org/jira/browse/SLING-11623 I think
its worth to have a hopefully brief discussion about our dependency
update policy.
https://cwiki.apache.org/confluence/display/SLING/Dependabot captures
what we said in the past and I think this is a good guideline, keeping
the dependency at the lowest required.
However :) with security issues in dependencies like the above, we leave
all the responsibility on our users. Clearly, we don't want any of our
users to run with known security issues, so if we update our
dependencies to versions without known issues, we help our customers as
they have to update the dependencies as well. It makes the world a
little bit safer and avoids all these continuous scanning reports.
I'm currently torn between the two, slightly prefering to update
dependencies in case of security issues.
Regards
Carsten
--
Carsten Ziegeler
Adobe
cziege...@apache.org
