wbeckler
commented
6 months ago The policy is that the latest versions are actively maintained: https://opensearch.org/releases.html There's no current policy to fix CVEs in older versions, but it doesn't hurt to open the question and see what others say. The packages.json allows for higher versions of packages upon building, and there might be a way for self hosted instances to autoupdate or update vulnerable packages on demand. Anyone have suggestions on how to make this a better experience?
We're currently stuck on OpenSearch 2.7 and OpenSearch Dashboards 2.7.
The official 2.7 image on dockerhub hasn't been updated in 10 months and has several critical vulnerabilities in the Linux operating system and several critical vulnerabilities in opensearch dashboards-related node package dependencies.
Even if we built our own opensearch dashboards docker image based on an updated base Linux image, we'd still have critical vulnerabilities in openSearch dashboards itself (dependencies).
Also, even if we upgraded to the latest OpenSearch and OpenSearch Dashboards, within a month or so there'd likely be critical vulnerabilities in the related node packages.
Is the OpenSearch Dashboards team considering a plan to offer long-term support on certain versions and commit to patching dependencies and possibly releasing updated official images on a monthly basis?