Hi Adam You don't have to do anything.
Mostly as a security release of a plugin should not break API compatability. If someone installs your plugin then Jenkins will if the mailer plugin is not installed install the latest from the update center that it knows about You can choose to update the dependency in your pom to stop the GitHub security warning, but a release is not required. In other words think of plugin dependencies as runtime lower limits, not hard dependencies. /James On Wednesday, 26 January 2022 at 22:01:06 UTC [email protected] wrote: > Hi all, > > January's security advisory had several vulnerabilities disclosed in > plugins [1]. Some of these plugins are widely used and may be used as > dependencies in other plugins. For example, my team maintains the > openshift-login-plugin and we depend on Mailer, which was recently updated > with a security fix. > > What is the right thing to do if we observe that a released plugin > includes another vulnerabile plugin as a dependency? Does this warrant a > security issue? > > Thanks, > Adam > > [1] https://www.jenkins.io/security/advisory/2022-01-12/ > > -- > > Adam Kaplan > > He/Him > > Principal Software Engineer > > Red Hat <https://www.redhat.com> > > 100 E. Davie Street > > [email protected] T: 1-919-754-4843 > <https://www.redhat.com> > > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/e48740b3-2343-4484-9825-e16bf5041010n%40googlegroups.com.
