rtyley commented 4 months ago

We've got limited Play v2.8 usage at the Guardian, so dropping Play v2.8 support may be a good way of fixing SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244:

✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244] in com.fasterxml.jackson.core:jackson-databind@2.11.4
    introduced by com.gu.play-secret-rotation:play-v28_2.13@8.3.1-SNAPSHOT > com.typesafe.play:play_2.13@2.8.21 > com.fasterxml.jackson.core:jackson-databind@2.11.4 and 13 other path(s)

Repos using `play-v28` at the Guardian

https://github.com/search?q=org%3Aguardian+%22play-v28%22++NOT+is%3Aarchived&type=code

...this rough search shows only one specific use of "com.gu.play-secret-rotation" %% "play-v28":

https://github.com/guardian/ariadne/blob/39b93f0b114e10eec082698d3315f3afa5092285/scala/build.sbt#L63 ...I'm willing to sacrifice this...!

...there is also only one use of "com.gu.play-googleauth" %% "play-v28":

https://github.com/guardian/bonobo/blob/ad3d308fc0ad2f5a7afe8cd69f191daf0b91a5bf/build.sbt#L31 - but bonobo is already using Play 3, so it should be using play-v30 anyway! https://github.com/guardian/bonobo/pull/250

cc @Divs-B

mkurz commented 4 months ago

btw, Play 2.8 will be EOL 31st of May, which is in 7 days. I will cut one last release with latest dependencies and that's it. So good time to let go.

rtyley commented 1 month ago

Done with https://github.com/guardian/play-secret-rotation/pull/462

guardian / play-secret-rotation

Dropping Play v2.8 #461

Repos using `play-v28` at the Guardian

guardian / play-secret-rotation

Dropping Play v2.8 #461

Repos using play-v28 at the Guardian

Repos using `play-v28` at the Guardian