I would generally prefer that no dependencies have known security issues. Basically, my position on this is the same as it was ~3 years ago from the thread at [1].
Also, I'd agree with what was reported at [2] that it doesn't make sense to depend on versions that have been declared as EOL when there is a newer alternative that is still maintained. 1. https://lists.apache.org/thread/jhj626gn9xzng3bdxkmyx6ozyvcg7rlq 2. https://issues.apache.org/jira/browse/SLING-11621 Regards, Eric On Wed, Oct 19, 2022 at 8:28 AM Carsten Ziegeler <cziege...@apache.org> wrote: > Hi, > > in light of https://issues.apache.org/jira/browse/SLING-11623 I think > its worth to have a hopefully brief discussion about our dependency > update policy. > > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures > what we said in the past and I think this is a good guideline, keeping > the dependency at the lowest required. > > However :) with security issues in dependencies like the above, we leave > all the responsibility on our users. Clearly, we don't want any of our > users to run with known security issues, so if we update our > dependencies to versions without known issues, we help our customers as > they have to update the dependencies as well. It makes the world a > little bit safer and avoids all these continuous scanning reports. > > I'm currently torn between the two, slightly prefering to update > dependencies in case of security issues. > > Regards > Carsten > -- > Carsten Ziegeler > Adobe > cziege...@apache.org >
