Hi, I was pleased to see that jetty was updated in the Solr 8.9 release
SOLR-15316: Upgrade Jetty to 9.4.41.v20210516 (janhoy, Mike Drob) However I still see the older jetty and netty dependencies in solrj 8.9.0 so we still have all the accompanying CVE issues. Should Solrj not have been updated at the same time? [INFO] +- org.apache.solr:solr-solrj:jar:8.9.0:compile [INFO] | +- commons-io:commons-io:jar:2.8.0:compile [INFO] | +- io.netty:netty-buffer:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-codec:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-common:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-handler:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-resolver:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-transport:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.60.Final:compile [INFO] | +- io.netty:netty-transport-native-unix-common:jar:4.1.60.Final:compile [INFO] | +- org.apache.commons:commons-math3:jar:3.6.1:compile [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile [INFO] | +- org.apache.httpcomponents:httpmime:jar:4.5.13:compile [INFO] | +- org.apache.zookeeper:zookeeper:jar:3.6.2:compile [INFO] | +- org.apache.zookeeper:zookeeper-jute:jar:3.6.2:compile [INFO] | +- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile [INFO] | +- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:compile [INFO] | +- org.eclipse.jetty:jetty-alpn-client:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty:jetty-alpn-java-client:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty:jetty-client:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty:jetty-io:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty:jetty-util:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty.http2:http2-client:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty.http2:http2-common:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty.http2:http2-hpack:jar:9.4.38.v20210224:compile [INFO] | +- org.eclipse.jetty.http2:http2-http-client-transport:jar:9.4.38.v20210224:compile [INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.7.6:compile Unless expressly stated otherwise in this email, this e-mail is sent on behalf of Auto Trader Limited Registered Office: 1 Tony Wilson Place, Manchester, Lancashire, M15 4FN (Registered in England No. 03909628). Auto Trader Limited is part of the Auto Trader Group Plc group. This email and any files transmitted with it are confidential and may be legally privileged, and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. This email message has been swept for the presence of computer viruses.
