Patching Vulns#23
Conversation
|
Vuln num: GHSA-pr98-23f8-jwxv |
|
Through upgrading Logback to |
There was a problem hiding this comment.
Since this is a patch, I'm wondering if we should bump this to 3.4.1 as well and re-use the property below (like it was being done before) instead of hardcoding differently at two places.
What do you think?
Why I'm not sure is if the initial engineers had the rationale that the apis-common and apis-bom version would be tied hand-in-hand, but there's a solid argument against it - because that would cause more coupled changes, in case we add more patches in future and bump it to a version for which apis-bom doesn't exist.
I say good to go.
There was a problem hiding this comment.
I guess we should, to maintain consistency and coherence for next devs,
Otherwise, yes apis-common and apis-bom are tightly coupled because Maven’s version has merged rules for apis-common, supplies versions some deps rely on entirely, and defines the shared dependency contract the rest of the APIS stack expects.
We can separate them (creating isolation layers for further convience) by either dropping the BOM import or keep the BOM import at parent level (apis main maybe?)
Yeah, I'll be waiting on your answer x_x
There was a problem hiding this comment.
Hmm this brings the question why then APIS is not a monolith/monorepo... (if we are to couple versions so strongly)
There was a problem hiding this comment.
I say lets let this in - better to make progress rather than introduce more maintenance overhead.
axmsoftware
left a comment
There was a problem hiding this comment.
@FlawzyByte could you use properties for versions? For example:${project.version}
3.4.1
This looks like regression. Could we have one place to adjust versions of importance that need to be consistent between components and a pattern for the ones that stay fix and are only component specific? Thanks!
|
The original setup kept apis-common and the stack (apis-bom) on 3.0.0. hyphae/apis-bom@40a40a0 wasn’t something the initial team had done So this repo is still apis-common 3.0.0 while the BOM line assumes 3.4.1. The simplest solution is to align and release apis-common 3.4.1 to maintain ${project.version} property approach. |
|
Also dependabot has upgraded vertx to 5.0.7 |
1/ Patched vuln num: GHSA-vmq6-5m68-f53m
Solution: Upgrading logback from 1.4.11 to 1.4.12