[GitHub] [bookkeeper] eolivelli commented on a change in pull request #2765: Release note for 4.14.2

[GitBox <gi...@apache.org>]

eolivelli commented on a change in pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#discussion_r698437464



##########
File path: site/docs/4.14.2/overview/releaseNotes.md
##########
@@ -20,6 +20,22 @@ The technical details of this release are summarized below.
 
   The current libthrift version 0.12.0 has multiple vulnerabilities: CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
 
+- [https://github.com/apache/bookkeeper/pull/2735] Exclude grpc-okhttp dependency
+
+  The okhttp dependency version 2.7.4 is old and vulnerable. This dependency isn't needed and it causes Bookkeeper to be flagged for security vulnerabilities.
+
+- [https://github.com/apache/bookkeeper/pull/2734] Upgrade Freebuilder version and fix the dependency
+
+  - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat.

Review comment:
       yes, please remove the reference to Pulsar @zymap 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org