There are a number of CVEs published in the transitive dependencies. For example: https://mvnrepository.com/artifact/org.apache.ozone/hdds-common/2.0.0 We should run security scan tools and bump dependency versions as part of the release effort.
On Tue, Jul 22, 2025 at 12:23 AM Wei-Chiu Chuang <weic...@apache.org> wrote: > Yeah I'd go with a release train model. If a feature makes it, it gets > included; otherwise, next release. > Though it's still good to discuss what could be included in a release, so > that there's a healthy number of new features in each release, and we don't > release for sake of release. > And not a bad idea to give the owner of each release a sense of urgency :) > > On Mon, Jul 21, 2025 at 9:41 PM Attila Doroszlai <adorosz...@apache.org> > wrote: > >> > My primary goal is to push for a more regular and predictable >> > release schedule, as I believe this would accelerate the delivery of >> > features more effectively. >> >> +1, I also think that regular releases would be better. >> >> But then we shouldn't discuss features to be included, rather release >> schedule/cadence. (Whatever is ready gets included.) >> >> -Attila >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@ozone.apache.org >> For additional commands, e-mail: dev-h...@ozone.apache.org >> >>
