https://kotlinlang.org logo
#ktor
Title
# ktor
d

dodalovic

06/20/2022, 7:22 AM
One question for the team: our vulnerabilities scanner reports that we have quite some libs in
2.0.1
that are very outdated, and that impose security risks. Will this be addressed?
h

hfhbd

06/20/2022, 7:24 AM
Could you fill an issue with the versions/dependencies? BTW you should be able to overwrite the dependencies by specifying them manually.
d

dodalovic

06/20/2022, 7:25 AM
these are coming transitively from various ktor modules, and should not be managed on your own
i saw jetty stuff being reported, jackson, whatnot
h

hfhbd

06/20/2022, 7:27 AM
Until updating the dependencies upstream, it is absolute valid to force updating the transitive dependencies (with tests of course).
d

dodalovic

06/20/2022, 7:41 AM
That's fine. My opinion is that the framework provider should provide non-risky software. Let's not waste time on this 🙂 I was more curious to hear from the project team
a

Aleksei Tirman [JB]

06/21/2022, 3:11 PM
Please specify concrete versions of dependencies that have vulnerabilities.