> On Sep 6, 2023, at 1:09 AM, Colm O hEigeartaigh <cohei...@apache.org> wrote:
>
> +1.
>
> Just one thing I noticed Shawn, is that /lib/ehcache-2.10.9.2.jar
> contains a large amount of embedded CVEs (Jackson, Jetty), is it
> planned to update to ehcache 3.x?
Interesting that I missed this. I’ll have another look. I knew the lib was old,
and so yeah, it’s long overdue for upgrade.
I’ll start looking into it.
> There are also CVEs reported against
> ./WEB-INF/lib/guava-30.1-jre.jar + ./WEB-INF/lib/mina-core-2.2.2.jar.
> Other directory projects have set up dependabot alerts so it displays
> in GitHub whether dependencies have CVEs or not.
>
Have seen these, not sure how to proceed.
Thanks Colm!
—
Shawn
> Colm.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
