seata [TODO] Check the dependency libs of all repositories, fix CVEs from them.

rmbxnbpk  于 4个月前  发布在  其他
关注(0)|答案(2)|浏览(73)

This was mentioned through the ASF incubator voting. I think it would be better if we could track it.

One minor nit - the dependency list in
https://cwiki.apache.org/confluence/display/INCUBATOR/Seata+Proposal
has a great deal out of outdated dependencies - with a large number of
CVEs associated with them.

Let's scan them and fix them soon.

vhmi4jdf

vhmi4jdf1#

Thanks for raising this. Just eyeballing https://github.com/seata/seata/blob/5aca41d88096ca912ad81ea1071997cf222cfce0/dependencies/pom.xml and here are some of the jar versions that concern me.

  • netty
  • jetty
  • commons-compress
  • h2
  • postresql
  • grpc - that old version has lots of protobuf related issues
  • zookeeper
  • groovy
  • kotlin
e5njpo68

e5njpo682#

@wu-sheng@pjfanning Seata depends on a large number of third-party dependencies, and we are continuing to monitor the security vulnerabilities of dependencies. To address this, we have already created a project to fix the dependencies vulnerabilities.

Dependencies vulnerabilities: https://github.com/seata/seata/projects/12

I will fix the dependency vulnerability mentioned in this issue as soon as possible.

相关问题