On Thu, 23 Nov 2023 at 13:05, Gary Gregory <garydgreg...@gmail.com> wrote: > > Hello, > > First, if you want to disclose a vulnerability in a Commons component > itself, please read https://commons.apache.org/security.html > > Now, back to dependencies. > > In general, we use GitHub's Dependabot to inform us of new versions of > dependencies. Dependabot then creates the PRs and builds the > components and GitHub tracks those builds, and then sends emails to > our mailing list. An Apache Commons Committer like myself then reviews > and approves PRs if nothing breaks. > > Commons Validator in git master is already on JUnit 5's Vintage layer > (for JUnit 4) in git master. What's needed there is a PR that migrates > the tests from the JUnit 4 API to the JUnit 5 native API. I'd welcome > such a PR. > > One challenge when updating a dependency is that for some components, > some dependency types are used in the public or protected API of the > component. Since we never want to break binary compatibility within a > major released line, we cannot change those signatures. That could > only happen in the next major release. > > There is no official release cycle. We work on a volunteer, > best-effort, scratch-your-own-itch basis. If there is something you > need, then you are in the right place to ask and discuss it.
Also, note that JUnit is a test dependency, so any vulnerabilities in it do not apply to production installations of Validator. Furthermore, the version of a dependency which is loaded depends on how the component jar is deployed. Generally a user can override the default version stated in the component pom. Indeed this happens automatically in Maven if another jar declares a dependency on a later version with the same Maven coordinates. > HTH, > Gary > > On Wed, Nov 22, 2023 at 9:45 PM Henrique Siqueira Santos > <hssan...@fitec.org.br> wrote: > > > > I was wondering how the updates for some of the apache commons libraries > > work in regards to the vulnerabilities of dependencies of a library (in > > this case, commons-validator). > > > > Is it possible to create a pull request with only upgrades of dependencies > > of a library? For instance, in the commons-validator library, there are > > some dependencies which contains vulnerabilities such as jUnit. Is a pull > > request to upgrade jUnit from 4.13 to 4.13.2 valid? > > > > Another different example would be the commons-digester library which, from > > what I've seen, has the 3.3-SNAPSHOT version on it's master branch which > > contains some upgrades to those vulnerable dependencies, but it hasn't been > > released yet. > > > > Is there a release cycle or release date planned for these changes? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
