rvesse commented on PR #2234: URL: https://github.com/apache/jena/pull/2234#issuecomment-1920883801
Thanks for the PR but in this case we cannot accept it. The module containing the `4.8.0` dependency is purely a benchmarking module used to compare performance numbers between the old version of one of our core API implementations with a newer version that was introduced from `4.9.0` onwards. So the usage of `4.8.0` is a) intentional and b) only for performance benchmarking purposes to ensure no substantative performance regressions. The usage of `4.8.0` within the benchmarking is tightly scoped to the API under test and does not use any of the portions of the API affected by CVE-2023-32200 As such there is no security risk involved here and I will close this issue Please note that for future reference any security issues with any Apache project should be reported using the [Apache Security Process](https://www.apache.org/security/) and not via public PRs/issues. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
