Replies: 2 comments 5 replies
-
|
We're not going to release a patch just to update a test dependency. We can backport the main branch PR that updated the dependency to 1.0.x branch. We use Scala Steward on main branch. When we release 1.0.3 then that backport will be released. |
Beta Was this translation helpful? Give feedback.
-
|
Sounds good, thanks. |
Beta Was this translation helpful? Give feedback.
-
|
I don't see this dependency. I have a Mac and maybe jnr-posix comes in somehow if you have a different OS - but no sign of it when I run |
Beta Was this translation helpful? Give feedback.
-
|
I see now that this is now an issue on main branch due to #922 - it only happens in 1.0.x branch. |
Beta Was this translation helpful? Give feedback.
-
|
I merged #1276 to the 1.0.x branch |
Beta Was this translation helpful? Give feedback.
-
|
This module is only used in pekko for jmh bench, so it should be safe, we can update it and backport to 1.0.x |
Beta Was this translation helpful? Give feedback.
-
|
to be honest - I don't think this is worth doing anything about jnr/jnr-posix#171 only seems to help if you are using an OS that is very outdated and susceptible to https://nvd.nist.gov/vuln/detail/CVE-2014-4043 Users could just us up to date OS installs. |
Beta Was this translation helpful? Give feedback.
-
Is there interest to upgrade
com.github.jnr:jnr-posixto the latest available version https://mvnrepository.com/artifact/com.github.jnr/jnr-posix/3.1.19 and release a patch of v1.0.2?This is related to https://security.snyk.io/vuln/SNYK-JAVA-COMGITHUBJNR-1570422 -- if there is interest I can make the PR.
It's a transitive dependency on
org.apache.pekko:pekko-bench-jmhand looks like a test only dependency.Beta Was this translation helpful? Give feedback.
All reactions