datomic

seepel 2025-09-30T01:35:05.632679Z

Hi all, I'm using Datomic and need to go through soc2 and iso certification. It seems that the most recent version of the pro transactor has a few security issues in its dependencies. We are going through and updating these by hand, does that sound like the best strategy for us?

➕ 1
jaret 2025-09-30T12:38:07.205479Z

@sean888 We have standing maintenance work to try to stay on top of CVEs with maintenance releases. We evaluate the CVEs as we find them or users report them to make sure that Datomic is not "actually" exposed to determine priority. With these vulnerabilities in FasterXML's case we do not have actual exposure here, but are looking to address these deps along with a project to move to AWS Java SDK v2. I expect that work to come some time this year, but we may also have a maintenance release before that work is out and may slip in the deps. I also believe this particular fasterXML comes in via Memecache-asg-java-client. If you aren't using memcached or the asg client then you definitely are not exposed.

jaret 2025-09-30T12:39:16.118639Z

For some customers having "vendor acknowledgement" is enough to check the box. If you bump the deps I just encourage you let us know if you encounter issues doing that in staging etc.

jaret 2025-09-30T12:40:08.860469Z

You can hit me officially at <mailto:support@datomic.com|support@datomic.com> or by logging a ticket https://support.cognitect.com/hc/en-us/requests/new.

seepel 2025-09-30T17:20:18.295699Z

Great to know, thank you!