On Friday, 28 October 2022 18:36:07 CEST Jörg Hoh wrote: > I want to add another aspect to this discussion. > > In many of out integration tests we use the versions of additional bundles > to deploy into the IT from the pom. That means that in all of these ITs we > deliberately test against old(er) versions of our bundles (except the test > subject, of course); that might be a combination of bundle many consumers > won't use anymore, and which leaves some gaps in test coverage for new > features.
Such gaps can easily be closed. The modules¹ which use Testing PaxExam for ITs use (test) dependencies decoupled from the (compile) versions in the POM. See second point below Features². Regards, O. [1] https://github.com/apache/sling-org-apache-sling-testing-paxexam/network/ dependents [2] https://sling.apache.org/documentation/development/testing-paxexam.html#features > Am Mi., 19. Okt. 2022 um 17:28 Uhr schrieb Carsten Ziegeler < > > cziege...@apache.org>: > > Hi, > > > > in light of https://issues.apache.org/jira/browse/SLING-11623 I think > > its worth to have a hopefully brief discussion about our dependency > > update policy. > > > > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures > > what we said in the past and I think this is a good guideline, keeping > > the dependency at the lowest required. > > > > However :) with security issues in dependencies like the above, we leave > > all the responsibility on our users. Clearly, we don't want any of our > > users to run with known security issues, so if we update our > > dependencies to versions without known issues, we help our customers as > > they have to update the dependencies as well. It makes the world a > > little bit safer and avoids all these continuous scanning reports. > > > > I'm currently torn between the two, slightly prefering to update > > dependencies in case of security issues. > > > > Regards > > Carsten > > -- > > Carsten Ziegeler > > Adobe > > cziege...@apache.org