Hello, First, if you want to disclose a vulnerability in a Commons component itself, please read https://commons.apache.org/security.html
Now, back to dependencies. In general, we use GitHub's Dependabot to inform us of new versions of dependencies. Dependabot then creates the PRs and builds the components and GitHub tracks those builds, and then sends emails to our mailing list. An Apache Commons Committer like myself then reviews and approves PRs if nothing breaks. Commons Validator in git master is already on JUnit 5's Vintage layer (for JUnit 4) in git master. What's needed there is a PR that migrates the tests from the JUnit 4 API to the JUnit 5 native API. I'd welcome such a PR. One challenge when updating a dependency is that for some components, some dependency types are used in the public or protected API of the component. Since we never want to break binary compatibility within a major released line, we cannot change those signatures. That could only happen in the next major release. There is no official release cycle. We work on a volunteer, best-effort, scratch-your-own-itch basis. If there is something you need, then you are in the right place to ask and discuss it. HTH, Gary On Wed, Nov 22, 2023 at 9:45 PM Henrique Siqueira Santos <hssan...@fitec.org.br> wrote: > > I was wondering how the updates for some of the apache commons libraries work > in regards to the vulnerabilities of dependencies of a library (in this case, > commons-validator). > > Is it possible to create a pull request with only upgrades of dependencies of > a library? For instance, in the commons-validator library, there are some > dependencies which contains vulnerabilities such as jUnit. Is a pull request > to upgrade jUnit from 4.13 to 4.13.2 valid? > > Another different example would be the commons-digester library which, from > what I've seen, has the 3.3-SNAPSHOT version on it's master branch which > contains some upgrades to those vulnerable dependencies, but it hasn't been > released yet. > > Is there a release cycle or release date planned for these changes? --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
