[
https://issues.apache.org/jira/browse/SLING-12492?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17906505#comment-17906505
]
Scott Yuan commented on SLING-12492:
------------------------------------
Hello [~rombert],
Thank you for asking! From my side, bumping to the latest version to remove
the misleading CVE is sufficient. In the longer term, it would be great if
Dependabot could avoid providing misleading conclusions, but this is not a
must-have for raising this JIRA.
Also, apologies—I had subscribed to {{@dev}} but didn’t receive any updates or
discussions, so I missed out on the ongoing conversation there.
> Apache Sling Scripting JavaScript 3.1.4 is affected by vulnerabilities
> CVE-2022-32549 and CVE-2021-29425.
> ---------------------------------------------------------------------------------------------------------
>
> Key: SLING-12492
> URL: https://issues.apache.org/jira/browse/SLING-12492
> Project: Sling
> Issue Type: Improvement
> Components: Scripting
> Affects Versions: Scripting JavaScript 3.1.4
> Reporter: Scott Yuan
> Assignee: Eric Norman
> Priority: Minor
> Fix For: Scripting JavaScript 3.1.6
>
>
> The MVN Repository reports that the latest release, Apache Sling Scripting
> JavaScript 3.1.4, is affected by vulnerabilities CVE-2022-32549 and
> CVE-2021-29425 due to outdated dependencies. For more details, visit MVN
> Repository.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
