lincolnthree
commented
1 year ago Thanks for this PR!
Closed Wninayyds closed 1 year ago
lincolnthree
commented
1 year ago Thanks for this PR!
ShareASmile
commented
1 year ago @lincolnthree i noticed this jetty-server upgrade has been reverted in 5.0.5 final commit https://github.com/ocpsoft/prettytime/commit/8b3cb3faf678ac6da2e7536997764e1d8ef8d2a0
any reasons for that as jetty-server 10.0.10 contains security vulnerabilities?
ShareASmile
commented
1 year ago There is 11.0.11 you can try update to as it is a critical fix over unstable 11.0.10 https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.11
Read comment https://github.com/ConsenSys/tessera/pull/1463#discussion_r916349778
For Reference there are more updates see changlogs https://github.com/eclipse/jetty.project/releases
You can also use Jetty 10.0.11 as it has specific fixes that were done in PR https://github.com/eclipse/jetty.project/pull/8165 but read issue tracker/pull_request discussions to find any issues that may arise
lincolnthree
commented
1 year ago My apologies for the confusion.
@ShareASmile Yes, the Jetty version update caused the build to fail as it is not backwards compatible with v10. Therefore it cannot be merged until those issues are fixed. This dependency is only used in sample repositories, and is not a user-facing dependency. Therefore it is not a risk to end-users of PrettyTime (unless they are copying sample apps and using them production, which I do not feel is likely.)
In addition, the affected sample uses JSTL, which is 14 years old now. It is highly unlikely that any new projects would copy code from this sample. To be honest, I would rather delete the sample than bother updating this dependency, but if you would like to try to fix the build and make sure it works, I'd be happy to merge again.
It sounds like we should try again with the patched version 10.
Upgrade jetty-server from 10.0.10 to 11.0.10 for vulnerability fix: