michelou
commented
2 years ago @ckipp01 Agreed. Related to the discussion 13799 I initiated on October 2021 (and with only 1 feedback, sadly IMO).
Closed ckipp01 closed 1 year ago
michelou
commented
2 years ago @ckipp01 Agreed. Related to the discussion 13799 I initiated on October 2021 (and with only 1 feedback, sadly IMO).
Dedelweiss
commented
1 year ago Hello, I would like to help with this issue. I notice that a PR is started but blocked by an error. At least if someone has started a correction or has some suggestions, I am quite interested !
Compiler version
All of them that contain the new Scaladoc.
Description
From what I can see since the new Scaladoc was introduced it's using a very old version of Flexmark, 0.42.12. This version was released early in 2019 and has a handful of CVEs attached to it as you can see under Vulnerabilities. Any type of CVE scanning that many places will do will pick this up. There is also a ton of extensions that are being use that are old and also have CVEs attached to them. It looks like even the newest version 0.64.0 still has some, but I feel like it's not a good idea to use something as old as this without ever updating especially seeing that there are CVEs attached to it.
Expectation
I'd expect the dependencies the compiler uses are up to date and that the team does its best to avoid dependencies with published CVEs.