Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated guidance for security vulnerablities as discussed on the dev list

...

  • libraries that are embedded/inlined in OSGi bundles since those will end up deployed directly
  • dependencies of Maven plug-ins
  • bundles that are deployed directly in applications like the Sling Starter, the Sling Karaf Features, or the Sling CMS
  • dependencies of projects written in Node.js
  • updating the versions of dependencies to be the oldest compatible version that does not have known security vulnerabilities (per the discussion at this thread).  This should resolve concerns being identified by security scanning tools and still ensure that our bundles are deployable to the widest possible range of "secure" environments.

It is possible to configure dependabot directly using the .asf.yaml file, see Git - .asf.yaml features#DependabotAlertsandUpdates .