Hi Ralph, On Fri, 20 May 2022 at 18:06, Ralph Goers <[email protected]> wrote:
> I am working through the last few issues I want to resolve for 2.18.0. > I’d like to hope I can have them done today but I might not. I will be > traveling tomorrow through Wed, May 25 to visit friends and family. While > it is possible I might be able to do the release then, it is unlikely. So > right now my plan is to start the process next Wednesday evening MST. > I am a little behind my schedule, so I sent a PR for 2.18.0 only tonight. It's a feature addition, so I'd like to profit from a minor version bump. It would be nice to update some dependencies too before 2.18.0: the `log4j-core` page on MvnRepository shows 9 security issues from dependencies ( https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.17.2). Except `jackson-databind` that we need to upgrade again, the others are in the test dependencies. However many people don't look, which dependencies are vulnerable and just assume the library is. Removing the `log4j` 1.x dependency from `log4j-core` (IIRC it's used by a performance test) and bumping `h2` would clear most of the vulnerabilities from test dependencies. Piotr
