[GitHub] [bookkeeper] nicoloboschi commented on a change in pull request #2765: Release note for 4.14.2

[GitBox <gi...@apache.org>]

nicoloboschi commented on a change in pull request #2765:
URL: https://github.com/apache/bookkeeper/pull/2765#discussion_r698434977



##########
File path: site/docs/4.14.2/overview/releaseNotes.md
##########
@@ -20,6 +20,22 @@ The technical details of this release are summarized below.
 
   The current libthrift version 0.12.0 has multiple vulnerabilities: CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
 
+- [https://github.com/apache/bookkeeper/pull/2735] Exclude grpc-okhttp dependency
+
+  The okhttp dependency version 2.7.4 is old and vulnerable. This dependency isn't needed and it causes Bookkeeper to be flagged for security vulnerabilities.
+
+- [https://github.com/apache/bookkeeper/pull/2734] Upgrade Freebuilder version and fix the dependency
+
+  - Freebuilder 1.14.9 contains an outdate jquery js file which causes the library to be flagged as vulnerable with the highest threat level in Sonatype IQ vulnerability scanner. This also flags Bookkeeper and Pulsar as vulnerable with the highest threat level although it is a false positive and not an actual threat.

Review comment:
       idk if it's good to mention pulsar here, I feel it is not relevant for BK release notes




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@bookkeeper.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org