Closed SebGondron closed 1 month ago
JonathanLEvans
commented
1 month ago Hi @SebGondron, we do not normally list dependent packages as it is impractical to list them all. Is there a particular reason why an exception should be made for groovy-all?
SebGondron
commented
1 month ago Hi @JonathanLEvans. Indeed, this is the usual approach and I am usually sticking to it. This one is a bit different imo. Yes, technically groovy-all depends on groovy, but not for one functionality, but to include it all as if it was the core. In practice, many developers use groovy-all in lieu of groovy to use the core. As many organizations monitor only the direct dependencies for vulnerabilities, this is in practice hiding these vulnerabilities in the groovy core.
I would understand that you would not want to deviate from it, but I wanted to raise the point that in this case groovy is not really a dependency of groovy-all since groovy-all is more a wrapper around groovy (I would however consider the dependencies of groovy as indirect dependencies for instance).
JonathanLEvans
commented
1 month ago Hi @SebGondron, thank you for the clarification. Groovy's documentation suggests using either so I am going to accept these requests.
advisory-database[bot]
commented
1 month ago Hi @SebGondron! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!
Updates
Comments groovy-all also contains the core groovy so every vulnerability in the core groovy is included in the groovy-all.