You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just wondering if there are any plans to update the bouncycastle dependency to the latest version 1.78.1 to get rid of the CVEs present in the current version of the dependency?
For reference, see Security Advisories in the bouncycastle release notes here.
The text was updated successfully, but these errors were encountered:
Unless there is a binary or source incompatibility preventing people from upgrading - I'm not going to do releases just to bump the pom version - consumers can just override the version and management of runtime dependency versions generally is up to them.
this is pretty unfortunate approach. It is common practice that library maintainer maintains safe dependencies if it uses dependency management tools. This way we are making vulnerable whole the community. It is like why should thousands dependent projects make hack if only one the depended may do it right.
What you are implying is that 100eds to thousands of library maintainers should push "empty" releases each time if a dependency makes a compatible release - with all due respect - this would be a complete waste of time for everybody.
Just wondering if there are any plans to update the bouncycastle dependency to the latest version 1.78.1 to get rid of the CVEs present in the current version of the dependency?
For reference, see Security Advisories in the bouncycastle release notes here.
The text was updated successfully, but these errors were encountered: