Can ring use the latest version of Jetty - 9.4.49.v20220914

ring-clojure / ring

Clojure HTTP server abstraction

MIT License

3.78k stars 520 forks source link

Closed Bediako closed 2 years ago

Bediako commented 2 years ago

Hi! Thanks for supporting Ring!

My security and operations team is concerned about the version of Jetty of which Ring ships. I have a couple of questions.

First, could Ring release a new version that upgrades the embedded Jetty version to 9.4.49.v20220914?

Second, if upgrading to Jetty 9.4.49.v20220914 isn't easy, how can I tell Ring to use another version of Jetty instead; is this possible?

I appreciate any advice you have on this issue. Thanks!

weavejester commented 2 years ago

You can specify the Jetty dependency the same way you would any other, so with Leiningen:

[org.eclipse.jetty/jetty-server "9.4.49.v20220914"]

Or with deps.edn:

{org.eclipse.jetty/jetty-server {:mvn/version "9.4.49.v20220914"}}

The changelog for 9.4.49 doesn't note any vulnerabilities or critical issues over 9.4.48, so I don't think there's any need to update right away.