For just the dependabot alerts, you can ask INFRA like in https://issues.apache.org/jira/browse/INFRA-22828
If you want dependabot pull requests, then let me know and I can help with that part. Colm. On Wed, Sep 6, 2023 at 9:18 AM Shawn McKinney <shawn.michael.mckin...@gmail.com> wrote: > > > > > On Sep 6, 2023, at 1:09 AM, Colm O hEigeartaigh <cohei...@apache.org> wrote: > > > > +1. > > > > Just one thing I noticed Shawn, is that /lib/ehcache-2.10.9.2.jar > > contains a large amount of embedded CVEs (Jackson, Jetty), is it > > planned to update to ehcache 3.x? > > Interesting that I missed this. I’ll have another look. I knew the lib was > old, and so yeah, it’s long overdue for upgrade. > > I’ll start looking into it. > > > There are also CVEs reported against > > ./WEB-INF/lib/guava-30.1-jre.jar + ./WEB-INF/lib/mina-core-2.2.2.jar. > > Other directory projects have set up dependabot alerts so it displays > > in GitHub whether dependencies have CVEs or not. > > > > Have seen these, not sure how to proceed. > > Thanks Colm! > > — > Shawn > > > Colm. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org > For additional commands, e-mail: dev-h...@directory.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org