@mreut...@apache.org - Marcel, can you provide any input? Thanks, Jesse
On Thu, Sep 8, 2022 at 6:33 AM Julian Reschke <julian.resc...@gmx.de> wrote: > Am 07.09.2022 um 15:25 schrieb Jesse: > > Hello, I am updating POM dependencies for JCR-OAK and was unsure about > > dependencies. > > > > The JCR-OAK support page says that the mongo document store should be > > running on MongoDB 4.4 ( > > > https://jackrabbit.apache.org/oak/docs/nodestore/document/mongo-document-store.html > > ) > > > > The Maven Central page for oak-jcr ( > > https://mvnrepository.com/artifact/org.apache.jackrabbit/oak-jcr/1.44.0 > ) > > displays the mongo-java-driver version that is tested against is 3.12.7 > > (which has a published CVE). > > Yes, that dependency should be updated. I opened > <https://issues.apache.org/jira/browse/OAK-9925>. > > > The mongo-java-driver compatibility page ( > > https://www.mongodb.com/docs/drivers/java/sync/current/compatibility/ ) > > shows that driver version 3.12 only fully supports mongo db 4.2, and not > > all of the features of mongodb 4.4. > > > > Why is mongo db 4.4 specified in the oak docs instead of 4.2? > > > > Why still specify a very old and vulnerable version of mongo-java-driver > in > > the JCR-OAK dependencies? > > > > Confirming that JCR-OAK-1.44 / MongoDB 4.4 / Mongo-java-driver 3.12 is > the > > correct combination? > > > > Thanks, Jesse > > For the remaining issues, let's hear from Marcel :-) > > Best regards, Julian > >
