As the user, you have ultimate control over transitive dependency versions that end up in your application. Using Maven, for example, you can override the commons-fileupload dependency on commons-io to the latest release. I don't think anyone here wants to go through an entire release for a component just to update a dependency.
On Thu, 27 May 2021 at 10:00, Singh, Randeep <rand.si...@sap.com.invalid> wrote: > > HI All, > > This is regarding one of security issue that is reported in our component > which is coming from commons-io (2.2) lib transitive dependency via > commons-fileupload . > It seems this is fixed in commons-io (2.7) or above, Hence would it be > possible to bump version of commons-io to 2.8 or 2.9 and release a patch . > I can see that it has been already done with this commit > https://github.com/apache/commons-fileupload/commit/8370f1e0a15a0469d04579e2abd5500ebf90b8c8/ > may I know by when we can expect a release of 2.0 ? in case patch is not > possible . > > > Best Regards > Randeep --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@commons.apache.org For additional commands, e-mail: user-h...@commons.apache.org