This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-11-14
Channels
- # announcements (8)
- # babashka (37)
- # beginners (4)
- # biff (19)
- # cider (18)
- # clj-kondo (52)
- # clojure (26)
- # clojure-brasil (5)
- # clojure-dev (12)
- # clojure-europe (34)
- # clojure-nl (1)
- # clojure-norway (32)
- # clojure-uk (7)
- # core-logic (1)
- # data-science (5)
- # emacs (14)
- # honeysql (11)
- # hyperfiddle (37)
- # jobs (1)
- # malli (4)
- # off-topic (38)
- # pedestal (7)
- # portal (30)
- # releases (1)
- # remote-jobs (1)
- # tools-build (8)
- # vim (12)
hi, is there any work being done regarding the CVEs mentioned in https://github.com/pedestal/pedestal/issues/763 ? is there something I can do to help?
(non-maintainer here - I only got a notification because I contribute to nvd-clojure itself) A good way in which you can contribute (and actually avoid the issue for you) is bumping those transitive deps in your specific project, and verify that everything keeps working Breaking changes are somewhat more frequent in the Java world, so I'd recommend a cautious QA round. Surely the maintainers would appreciate a PR / experience report afterwards.
Hello, I was the person who opened this issue. We regularly do what @U45T93RA6 described - bump the transitive Jetty deps in our downstream apps and verifying that our apps still work. That said, in this case we stuck with the newest Jetty 9.x.x versions, while Pedestal has been updated to use Jetty 11.x.x, so we will have to do further testing when we update Jetty to 11.
Verifying is appreciated; generally, we bump the Jetty dependency and check that our tests pass. Ideally, I'd deploy it out to a few thousand NuBank servers just to be sure ... but that's a bit of a challenge for internal reasons. I generally trust Jetty, they're old pros at this kind of thing, but a verification by other parties, in production, is always welcome.