Seeking clarification regarding unpatched vulnerabilities in dependencies

[Kamal Velan]

Hi folks,

I use Pedestal for my research engineering work. I am surprised to find a good amount of unpatched vulnerabilities within pedestal as reported by `lein nvd check`

I wanted to understand what is the upgrade process  / expected timeline to update these dependencies, specifically within https://github.com/pedestal/pedestal/blob/master/jetty/project.clj

Please do let me know how I can help, eg. creating a PR

Thanks,
Kamal

[Paul deGrandis]

Hi Kamal,

Thanks for using Pedestal and for reaching out on the mailing-list!

PRs that update dependencies and clean up doc strings are always welcome and very helpful.

Outside of a PR, a Github issue is also helpful - there are a few community members who will pick up smaller tickets.

Regarding dependencies in your own projects:
I recommend getting in the habit of using `:exclusions` and pinning problematic transitive dependencies within the top-level of your project.

You can see an example of this within Pedestal itself: https://github.com/pedestal/pedestal/blob/master/service/project.clj#L29

I hope this helps!

Paul

[Daniel De Aguiar]

Hi Kamal,

Adding to what Paul said, I've opened up an issue which captures this. Ideally we'd be identifying and addressing dependencies with vulnerabilities sooner. I'll work on improving in that area.

Thanks for reaching out!

/dan

[Kamal Velan]

Thanks Paul & dan for replying to this mail.

I will look into the exclusions feature and pin my deps appropriately.

Thanks a lot for you work.

Kamal