I'm more interested in working for 10.x milestone and Jakarta 11 which is about to be released.
Le ven. 29 mars 2024, 13:52, Alex The Rocker <[email protected]> a écrit : > Hello Richard, > > I don't see other dependencies which would be vital to upgrade in TomEE > 9.1.3. > > As discussed on another thread on TomEE dev list, I think that we > should keep 9.1.x series as stable as possible until 10.x is released, > so as to unlock from the weird Tomcat deprecated dependency (Servlet 5 > etc) > > Is there anything else I could do to help on a 9.1.3 within coming weeks? > > Thanks, > Alex > > Le ven. 29 mars 2024 à 13:07, Alex The Rocker <[email protected]> a > écrit : > > > > Hi Richard, > > > > Maybe not fully answering your request to get dependencies analysis on > > lib/, but running latest grype led to this small finding: > > > > NAME INSTALLED FIXED-IN TYPE VULNERABILITY > > SEVERITY > > apache-mime4j-core 0.8.7 0.8.10 java-archive > > GHSA-jw7r-rxff-gv24 Medium > > > > The use of apache-mime4j-core comes from: > geronimo-mail_2.1_spec-1.0.0-M1.jar > > > > This vulnerability is accociated to CVE-2024-21742 in Maven central. > > > > If not trivial to fix in 9.1.3 then I guess its medium severity > > doesn't make it vital to update. > > > > Should I check other dependencies against non-vulnerabilities related > criteria ? > > > > Thanks, > > Alex > > > > Le ven. 29 mars 2024 à 12:44, Richard Zowalla <[email protected]> a écrit > : > > > > > > Hi, > > > > > > I have nothing against doing a TomEE 9.1.3, which is merely a time > > > thing. Doing the actual release preperation, starting the vote, etc. > > > takes ~ 30-60min depending on a machine. > > > > > > If we need to do additional library upgrades, it might take some > > > additional time to wait until CI is complete and to fix potential > > > issues. Good thing is, that current CI build is happy. > > > > > > What would help to speed things up: > > > > > > Are there any additional dependencies we need to update for 9.1.3 ? > > > > > > If someone can have a quick look into /lib of a 9.1.3-SNAPSHOT, we > > > might be able to do the updates quickly and get some CI feedback, so we > > > can start with release preperations. > > > > > > Gruß > > > Richard > > > > > > Am Freitag, dem 29.03.2024 um 11:01 +0100 schrieb Alex The Rocker: > > > > Hi there, > > > > > > > > It's been more than 3 monthes since TomEE 9.1.2 was released. > > > > Couples of updates have been delivered in 9.1.3 in-work, including 2 > > > > CVE fixes. > > > > Wouln't it be a good thing to release a 9.1.3 within coming weeks? > > > > > > > > (I know we would like to have 10.0.0 asap, but a small patch release > > > > on 9.2.x with depdendencies / security fixes could help keeping > > > > community users confortable with not too old versions) > > > > > > > > (my 2 cents ;) > > > > > > > > Alex > > > >
