Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Add versions without CVEs? 
Hello Tony,

The change is definitely wanted. In fact a plugin I help maintain has transitive
dependencies to the Jackson stack, and even the upstream for that has moved
to 2.9.8. If 2.9.2 -> 2.9.8 are merely security fixes (as the version
would imply)
then it shouldn't be too complicated. However I haven't had too much time to
look at this, and I'm not sure if I'll get that much more.

Also, we do have commons-compress 1.18.0 since 2018-12, so I guess what
you're really requesting here is the removal of all the bundles below that to
prevent usage of it in future releases.

We could easily review/accept contributions that stay under 1000 LOC. I think
this is possible if the Jackson 2.9.2 is modified to 2.9.8. If it gets
to be over that
amount, we would likely need to file a CQ. If you'd like to submit a
contribution,
that sounds good, and I can maybe find the time to review. I'll also
need to file
some CQs for the updated bundles.

Cheers,
Roland Grunberg

Back to the top