cziegeler commented on PR #149: URL: https://github.com/apache/sling-site/pull/149#issuecomment-1846609480
We all (open source projects, companies) get swamped with automatically generated security scan reports - these reports have no idea about Maven scopes, modularity, OSGi, you name it. The only way to get ahead of that flood is to update our dependencies to versions without known security vulnerabilities. If we don't do this, our modules look like they have security vulnerabilities and we do not care. It is pretty hard and time consuming to fight this with explanations. The only thing that works are actions - and that is updating the dependencies. But we are also not doing a good service for our users if we allow them to use insecure dependencies. If we update our dependencies, we force our users to a more secure world. However, updating a dependency in a pom to a newer version is usually a very cheap change. Releasing the module with the updated dependency is not that cheap anymore. At the same time, we most likely will always be behind with updating - or simply overlook a report for some time. Which means, our users still have to look for security vulnerabilities themselves and update their projects. Taking all of this together, I think it is good to set a clear expectation to our users that they have to take care of their systems and update dependencies as required. That is the nature of a modular system. On the other end, we should update dependencies with known vulnerabilities to a version that has no known vulnerabilities. But we need to clearly state that this only makes security scans happy. It does not fix anything anywhere. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@sling.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org