seata [TODO] Check the dependency libs of all repositories, fix CVEs from them.

rmbxnbpk 于 22天前发布在其他

关注(0)|答案(2)|浏览(19)

This was mentioned through the ASF incubator voting. I think it would be better if we could track it.

One minor nit - the dependency list in
https://cwiki.apache.org/confluence/display/INCUBATOR/Seata+Proposal
has a great deal out of outdated dependencies - with a large number of
CVEs associated with them.

Let's scan them and fix them soon.

seata

来源：https://github.com/apache/incubator-seata/issues/5945

2条答案

按热度按时间

vhmi4jdf1#

Thanks for raising this. Just eyeballing https://github.com/seata/seata/blob/5aca41d88096ca912ad81ea1071997cf222cfce0/dependencies/pom.xml and here are some of the jar versions that concern me.

netty
jetty
commons-compress
h2
postresql
grpc - that old version has lots of protobuf related issues
zookeeper
groovy
kotlin

赞(0）回复(0）举报 22天前

e5njpo682#

@wu-sheng@pjfanning Seata depends on a large number of third-party dependencies, and we are continuing to monitor the security vulnerabilities of dependencies. To address this, we have already created a project to fix the dependencies vulnerabilities.

Dependencies vulnerabilities: https://github.com/seata/seata/projects/12

I will fix the dependency vulnerability mentioned in this issue as soon as possible.

赞(0）回复(0）举报 22天前

我来回答

seata [TODO] Check the dependency libs of all repositories, fix CVEs from them.

2条答案

相关问题

热门标签

最新问答