Hi, The vote so far has three +1 votes from Eric Norman, Jörg Hoh and Stefan Seifert. No other votes have been cast.
I'll leave the vote open for 2 more days. This is your last chance to express a preference (or concern) before the final votes are tallied. Regards, Eric On Thu, Nov 21, 2024 at 6:57 PM Eric Norman <enor...@apache.org> wrote: > Hi, > > In light of SLING-12492 at [1] and the related PR and discussion at [2] I > think it would be worthwhile to have a vote about our dependency update > policy for dependencies with known security vulnerabilities. > > 1. https://issues.apache.org/jira/browse/SLING-12492 > 2. > https://github.com/apache/sling-org-apache-sling-scripting-javascript/pull/3 > > > *History / Background:* > > The wiki at [3] captures what we said in the past and remains a good > guideline for dependencies with no security concerns. Also, the last time > this topic came up there was a discussion at [4] that ended with an > inconclusive outcome so please review that thread as well. > > 3. https://cwiki.apache.org/confluence/display/SLING/Dependabot > 4. https://www.mail-archive.com/dev@sling.apache.org/msg122053.html > > > > *The Proposal:* > Security scanning tools are regularly flagging sling projects as > "vulnerable" due to direct dependencies on other libraries that have known > security vulnerabilities. These security reports can result in obscuring > "real" security problems due to all the noise that we could clean up by > changing our approach to such things. > > Basically, the proposal up for a vote is whether we should encourage > updating the versions of dependencies to be the oldest compatible version > that does not have known security vulnerabilities. This should resolve the > concerns being identified by the security scanning tools and still ensure > that our bundles are deployed in the widest possible range of "secure" > environments. > > Please vote to approve this proposal: > > [ ] +1 Approve the proposal > [ ] 0 Don't care > [ ] -1 Reject the proposal, because ... > > This majority vote is open for at least 72 hours. > > Regards, > Eric >
