[
https://issues.apache.org/jira/browse/SLING-12184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17793700#comment-17793700
]
Konrad Windszus commented on SLING-12184:
-----------------------------------------
Well I think this contradicts this sentence (which does not directly refer to
Dependabot):
bq. In Sling we have long had a policy of depending on the lowest possible
version of the API, to ensure that our bundles are deployed in the widest
possible range of environments. Therefore the responsibility of ensuring that
the environment is secure lies with the assembler and/or deployer of the
application, which should make sure that the OSGi bundles they deploy are
secure.
> Require at least Apache Tika 1.20
> ---------------------------------
>
> Key: SLING-12184
> URL: https://issues.apache.org/jira/browse/SLING-12184
> Project: Sling
> Issue Type: Improvement
> Components: Commons
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: Commons MIME 2.3.0
>
>
> In order to avoid that clients use a vulnerable Apache Tika version, we
> should increase the minimum version required to at least 1.20
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
