olamy commented on pull request #21: URL: https://github.com/apache/maven-site-plugin/pull/21#issuecomment-910947476
> > Somewhat. They block Jetty for everyone(including the projects where the vulnerabilities applies) which affects this plugin indirectly. > > If it helps, what we use is similar to this : > > https://www.google.com/amp/s/blog.sonatype.com/keeping-third-party-dependencies-in-check-with-nexus%3fhs_amp=true > > Many vendors provide this superficial crap -- as you can see it proves nothing here. > @michael-o so many tools send warning/alarms because of dependencies with security issues/CVE. maybe (certainly) it's wrong but big companies use those tools as a policy and we can't fight this!! BUT we still want people using Apache Maven so we have to live with that! @yeikel I will update this PR > > If this PR is considered stale then I can resume and maybe target the latest version instead? > > Split between Java 8 upgrade and Jetty upgrade in at least two PRs. > > @hboutemy @rfscholte Yet another reason why we need to split this plugin in two. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org