Arsnael commented on code in PR #2638:
URL: https://github.com/apache/james-project/pull/2638#discussion_r1954027417
##########
server/blob/blob-s3/pom.xml:
##########
@@ -33,7 +33,7 @@
<name>Apache James :: Server :: Blob :: S3</name>
<properties>
- <s3-sdk.version>2.30.16</s3-sdk.version>
+ <s3-sdk.version>2.29.52</s3-sdk.version>
Review Comment:
Sorry it took me a while to write the reason of why. First of all, as
explained below, those two versions seem to have the same version of netty, as
link pasted to the code source, aka 4.1.115. So I don't see how your change is
addressing the CVE on this side.
Second, upgrading to 2.30.17 (that is aligned with the correct version of
netty) implies serious breaking changes, as explained below, that requires
being careful and proper testing before jumping in.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org
For additional commands, e-mail: notifications-h...@james.apache.org
