Updating bcprov-jdk18on to fix CVE-2024-29857 and other CVEs

[Skillzore]

Just wondering if there are any plans to update the bouncycastle dependency to the latest version 1.78.1 to get rid of the CVEs present in the current version of the dependency?

For reference, see Security Advisories in the bouncycastle release notes here.

[mbechler]

Unless there is a binary or source incompatibility preventing people from upgrading - I'm not going to do releases just to bump the pom version - consumers can just override the version and management of runtime dependency versions generally is up to them.

[miroslavvojtus]

1. thanks for your work.
2. this is pretty unfortunate approach. It is common practice that library maintainer maintains safe dependencies if it uses dependency management tools. This way we are making vulnerable whole the community. It is like why should thousands dependent projects make hack if only one the depended may do it right.

[mbechler]

What you are implying is that 100eds to thousands of library maintainers should push "empty" releases each time if a dependency makes a compatible release - with all due respect - this would be a complete waste of time for everybody.