One question for the team: our vulnerabilities scanner reports that we have quite some libs in

2.0.1

that are very outdated, and that impose security risks. Will this be addressed?

Could you fill an issue with the versions/dependencies? BTW you should be able to overwrite the dependencies by specifying them manually.

these are coming transitively from various ktor modules, and should not be managed on your own

Until updating the dependencies upstream, it is absolute valid to force updating the transitive dependencies (with tests of course).

That's fine. My opinion is that the framework provider should provide non-risky software. Let's not waste time on this 🙂 I was more curious to hear from the project team

Please specify concrete versions of dependencies that have vulnerabilities.