Thanks. Filing a JIRA is fine. I don't think we use either of these dependencies in such a way that this poses a danger in Beam, but we should probably upgrade them just to be safe (and avoid any questions, including surfaced by automated tools). Fortunately the version bumps don't look that big.
On Thu, Jul 29, 2021 at 8:55 AM Cain, Joel (Developer) <[email protected]> wrote: > > Hi dev@apache, > > I recently opened a ticket (https://issues.apache.org/jira/browse/BEAM-12679) > for dealing with some critical vulnerabilities in dependencies flagged by > Twistlock, used by Beam. Just wanted to check that this is the right way to > flag an issue of this kind? Please let me know if this is something that > needs to be raised elsewhere. > > Kind regards, > Joel > Information in this email including any attachments may be privileged, > confidential and is intended exclusively for the addressee. The views > expressed may not be official policy, but the personal views of the > originator. If you have received it in error, please notify the sender by > return e-mail and delete it from your system. You should not reproduce, > distribute, store, retransmit, use or disclose its contents to anyone. Please > note we reserve the right to monitor all e-mail communication through our > internal and external networks. SKY and the SKY marks are trademarks of Sky > Limited and Sky International AG and are used under licence. > > Sky UK Limited (Registration No. 2906991), Sky-In-Home Service Limited > (Registration No. 2067075), Sky Subscribers Services Limited (Registration > No. 2340150) and Sky CP Limited (Registration No. 9513259) are direct or > indirect subsidiaries of Sky Limited (Registration No. 2247735). All of the > companies mentioned in this paragraph are incorporated in England and Wales > and share the same registered office at Grant Way, Isleworth, Middlesex TW7 > 5QD
