On 27/05/2021 16:29, Matt Sicker wrote:
As the user, you have ultimate control over transitive dependency
versions that end up in your application. Using Maven, for example,
you can override the commons-fileupload dependency on commons-io to
the latest release. I don't think anyone here wants to go through an
entire release for a component just to update a dependency.
I'll add that a vulnerability in a dependency does not always translate
into a vulnerability in the code using the dependency. The last time the
ASF looked at this across a large number of our Java projects, only
about 10% of vulnerabilities translated into potential vulnerabilities
in the code using the dependency.
Mark
On Thu, 27 May 2021 at 10:00, Singh, Randeep <rand.si...@sap.com.invalid> wrote:
HI All,
This is regarding one of security issue that is reported in our component which
is coming from commons-io (2.2) lib transitive dependency via
commons-fileupload .
It seems this is fixed in commons-io (2.7) or above, Hence would it be
possible to bump version of commons-io to 2.8 or 2.9 and release a patch .
I can see that it has been already done with this commit
https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/
may I know by when we can expect a release of 2.0 ? in case patch is not
possible .
Best Regards
Randeep
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org