Hi, On Wed, 2022-10-19 at 17:28 +0200, Carsten Ziegeler wrote: > Hi, > > in light of https://issues.apache.org/jira/browse/SLING-11623 I think > its worth to have a hopefully brief discussion about our dependency > update policy. > > https://cwiki.apache.org/confluence/display/SLING/Dependabot captures > what we said in the past and I think this is a good guideline, > keeping > the dependency at the lowest required. > > However :) with security issues in dependencies like the above, we > leave > all the responsibility on our users. Clearly, we don't want any of > our > users to run with known security issues, so if we update our > dependencies to versions without known issues, we help our customers > as > they have to update the dependencies as well. It makes the world a > little bit safer and avoids all these continuous scanning reports. > > I'm currently torn between the two, slightly prefering to update > dependencies in case of security issues.
I think there is a middle ground here. We can update the pom dependency but manually set the import ranges with bnd. It is more error-prone and I don't think we should do it lightly, which is why it is a good fit for security updates only. FWIW, the recent commons-text update did update the version ranges, so we can't rely on projects no updating their version ranges if nothing changed, most of them use the project version for exported packages. We could couple this with something like the ossindex-maven-plugin [1] to fail the build for CVEs of a certain severity, with the possible addition of an exclude list of CVEs that we are sure do not affect us. Thoughts? Robert [1]: https://sonatype.github.io/ossindex-maven/
