Hi Richard,

Maybe not fully answering your request to get dependencies analysis on
lib/, but running latest grype led to this small finding:

NAME                INSTALLED  FIXED-IN  TYPE          VULNERABILITY
     SEVERITY
apache-mime4j-core  0.8.7      0.8.10    java-archive
GHSA-jw7r-rxff-gv24  Medium

The use of apache-mime4j-core comes from: geronimo-mail_2.1_spec-1.0.0-M1.jar

This vulnerability is accociated to CVE-2024-21742 in Maven central.

If not trivial to fix in 9.1.3 then I guess its medium severity
doesn't make it vital to update.

Should I check other dependencies against non-vulnerabilities related criteria ?

Thanks,
Alex

Le ven. 29 mars 2024 à 12:44, Richard Zowalla <r...@apache.org> a écrit :
>
> Hi,
>
> I have nothing against doing a TomEE 9.1.3, which is merely a time
> thing. Doing the actual release preperation, starting the vote, etc.
> takes ~ 30-60min depending on a machine.
>
> If we need to do additional library upgrades, it might take some
> additional time to wait until CI is complete and to fix potential
> issues. Good thing is, that current CI build is happy.
>
> What would help to speed things up:
>
> Are there any additional dependencies we need to update for 9.1.3 ?
>
> If someone can have a quick look into /lib of a 9.1.3-SNAPSHOT, we
> might be able to do the updates quickly and get some CI feedback, so we
> can start with release preperations.
>
> Gruß
> Richard
>
> Am Freitag, dem 29.03.2024 um 11:01 +0100 schrieb Alex The Rocker:
> > Hi there,
> >
> > It's been more than 3 monthes since TomEE 9.1.2 was released.
> > Couples of updates have been delivered in 9.1.3 in-work, including 2
> > CVE fixes.
> > Wouln't it be a good thing to release a 9.1.3 within coming weeks?
> >
> > (I know we would like to have 10.0.0 asap, but a small patch release
> > on 9.2.x with depdendencies / security fixes could help keeping
> > community users confortable with not too old versions)
> >
> > (my 2 cents ;)
> >
> > Alex
>

Reply via email to