> > >> For Sling Starter this is obviously us. >> >> I would recommend to introduce some automated means (apart from >> dependabot) to check for vulnerabilities on all Maven projects which are >> not OSGi bundles. >> Something like >> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/ < >> https://jeremylong.github.io/DependencyCheck/dependency-check-maven/> >> works for that use case., >> >> > Sure, but on each hit of that plugin "someone" needs to look at the details > in a timely fashion and decide if we should do that update or not. Given > that Sling has approx 300 github repositories that will be quite a bit of > work. > My proposal was to only enable that check for non-OSGi bundles (which is just a handful of those 300).
For embedded dependencies we need to find some other solution (don’t know if there is already something out there). Konrad
