(non-maintainer here - I only got a notification because I contribute to nvd-clojure itself) A good way in which you can contribute (and actually avoid the issue for you) is bumping those transitive deps in your specific project, and verify that everything keeps working Breaking changes are somewhat more frequent in the Java world, so I'd recommend a cautious QA round. Surely the maintainers would appreciate a PR / experience report afterwards.

actually currently doing just that 🙂

Hello, I was the person who opened this issue. We regularly do what @U45T93RA6 described - bump the transitive Jetty deps in our downstream apps and verifying that our apps still work. That said, in this case we stuck with the newest Jetty 9.x.x versions, while Pedestal has been updated to use Jetty 11.x.x, so we will have to do further testing when we update Jetty to 11.

Verifying is appreciated; generally, we bump the Jetty dependency and check that our tests pass. Ideally, I'd deploy it out to a few thousand NuBank servers just to be sure ... but that's a bit of a challenge for internal reasons. I generally trust Jetty, they're old pros at this kind of thing, but a verification by other parties, in production, is always welcome.

many thanks, I will update and try it out in our product! however, we have not yet released to end-customer so will only be able to verify in preview, dev and test-environments