This was mentioned through the ASF incubator voting. I think it would be better if we could track it.
One minor nit - the dependency list in
https://cwiki.apache.org/confluence/display/INCUBATOR/Seata+Proposal
has a great deal out of outdated dependencies - with a large number of
CVEs associated with them.
Let's scan them and fix them soon.
2条答案
按热度按时间vhmi4jdf1#
Thanks for raising this. Just eyeballing https://github.com/seata/seata/blob/5aca41d88096ca912ad81ea1071997cf222cfce0/dependencies/pom.xml and here are some of the jar versions that concern me.
e5njpo682#
@wu-sheng@pjfanning Seata depends on a large number of third-party dependencies, and we are continuing to monitor the security vulnerabilities of dependencies. To address this, we have already created a project to fix the dependencies vulnerabilities.
Dependencies vulnerabilities: https://github.com/seata/seata/projects/12
I will fix the dependency vulnerability mentioned in this issue as soon as possible.