You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by GitBox <gi...@apache.org> on 2022/04/27 14:06:42 UTC

[GitHub] [maven-resources-plugin] patpatpat123 opened a new pull request, #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

patpatpat123 opened a new pull request, #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21

   Following this checklist to help us incorporate your 
   contribution quickly and easily:
   
   I do not have a Jira account. It is just me trying to bump a pom file using java 7, known to be EOL, and other dependencies that have proven CVEs.
    - [ ] Make sure there is a [JIRA issue](https://issues.apache.org/jira/browse/MRESOURCES) filed 
          for the change (usually before you start working on it).  Trivial changes like typos do not 
          require a JIRA issue.  Your pull request should address just this issue, without 
          pulling in other changes.
   
   I hope mine is meaningful.
    - [ ] Each commit in the pull request should have a meaningful subject line and body.
    - [ ] Format the pull request title like `[MRESOURCES-XXX] - Fixes bug in ApproximateQuantiles`,
          where you replace `MRESOURCES-XXX` with the appropriate JIRA issue. Best practice
          is to use the JIRA issue title in the pull request title and in the first line of the 
          commit message.
    - [ ] Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
   
   Yes, and all tests passed
    - [ ] Run `mvn clean verify` to make sure basic checks pass. A more thorough check will 
          be performed on your pull request automatically.
    - [ ] You have run the integration tests successfully (`mvn -Prun-its clean verify`).
   
   I am actually fine, and even prefer not to be a contributor. I just want to keep this very cool project relevant with security and time
   If your pull request is about ~20 lines of code you don't need to sign an
   [Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf) if you are unsure
   please ask on the developers list.
   
   To make clear that you license your contribution under 
   the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   you have to acknowledge this by using the following check-box.
   
    - [ ] I hereby declare this contribution to be licenced under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0)
   
    - [ ] In any other case, please file an [Apache Individual Contributor License Agreement](https://www.apache.org/licenses/icla.pdf).
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] slachiewicz commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

slachiewicz commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111390125

   Thank you for pushing us beyond our comfort zone. 
   We try to update dependencies - with over 100 sub-projects it can be difficult.
   
   Anyway - thx for the help :)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] slachiewicz closed pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

slachiewicz closed pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :) 
URL: https://github.com/apache/maven-resources-plugin/pull/21


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] michael-o commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

michael-o commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111432021

   
   
   
   > Thank you for pushing us beyond our comfort zone. We try to update dependencies - with over 100 sub-projects it can be difficult.
   > 
   > Anyway - thx for the help :)
   
   It is rather a PITA. An FTE can do updating depencies all day long... :-(


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] khmarbaise commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

khmarbaise commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111063312

   Please create an JIRA account (register) and create an appropriate issue in JIRA for that...and also check the information about license etc. otherwise we can not accept such a PR..
   
   Changing using `final` does not solve any issue..
   
   Please reread the contribution part in the READ ME file (https://github.com/apache/maven-resources-plugin/blob/master/README.md)...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] patpatpat123 commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

patpatpat123 commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111167058

   Hello @khmarbaise ,
   
   Wanted to say thank you for your answer here, as well as your numerous answers on StackOverflow.
   
   My goal for this PR is not to be accepted, but rather highlight the current repo is using technologies known and agreed to be EOL.
   
   Furthermore, it is also relying on dependencies that are both outdated and vulnerable.
   
   Finally, ```final``` was definitely not the point.
   
   Can you or  anyone here who has agreed to the license and has the Jira account copy paste the pom, or come up with a pom that will put this project in a more secure and up to date place by updating relevant dependencies please?
   
   Or questions, are contributors / creators / maintainers or this project fine with its current status?
   
   Thank you 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] patpatpat123 commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

patpatpat123 commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111505644

   Thank you all for the help provided. Wishing you all a very pleasant day


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven-resources-plugin] slachiewicz commented on pull request #21: A desperate PR to ask if it is possible to keep this repo relevant by upgrading its (full of CVEs) dependencies please :)

Posted by GitBox <gi...@apache.org>.

slachiewicz commented on PR #21:
URL: https://github.com/apache/maven-resources-plugin/pull/21#issuecomment-1111376647

   Java 8 upgrade done here: https://github.com/apache/maven-resources-plugin/commit/ad4b2adfbd106fb3aea0eb8263a84881ac92fa4d 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org