Hi Elliotte, On Sun, 3 Dec 2023 at 14:13, Elliotte Rusty Harold <elh...@ibiblio.org> wrote: > > https://issues.apache.org/jira/projects/VALIDATOR/issues/VALIDATOR-390 > and https://issues.apache.org/jira/projects/VALIDATOR/issues/VALIDATOR-357 > are both open dependency upgrades with security implications. If > they've already been fixed, then please close the issues. > > If they haven't been fixed, I vote -1 until they are. Looking at head, > I think VALIDATOR-357 has been fixed and should be closed, but > VALIDATOR-390 is still open.
Looking at the SBOM, the only dependencies (including transitive ones) are: * commons-beanutils 1.9.4, * commons-digester 2.1, * commons-logging 1.3.0, * commons-collections 3.3.2. None of them have CVEs. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
