enapps-enorman commented on PR #3: URL: https://github.com/apache/sling-org-apache-sling-scripting-javascript/pull/3#issuecomment-2489731272
> If we were to merge this PR then we would modify the import ranges of this bundle to no longer work with older verisons of commons-io and org.apache.sling.api. While I personally think it's a bad idea to deploy vulnerable versions, we can't force our users to do that, it must be their action. > > For this reason we don't usually update dependencies Maybe we could have another vote on that? I'd still prefer these dependencies to be the oldest compatible version that doesn't have known security vulnerabilities just to keep these scanners happy. I get a weekly "security alert digest" email from github every week for all the projects with "known security vulnerabilities detected". That email has become almost useless because it only contains the first 10 hits and all of them are apache/sling projects impacted by this type of problem. So I may never see "real" security problems due to all the noise that we could clean up by changing our approach to such things. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
