When the next release is going to happen? #4657
-
|
Hi there. This change contains a vulnerability patch under the hood that comes transitively from kotlin-stdlib retrofit/gradle/libs.versions.toml Line 16 in 5ee12c4 
I see that in the repository it already has been addressed by bumping the version of dependency, so the question is when the release is going to be cut off? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
We only do immediate releases if we're susceptible to the actual problem (which is almost never the case). Downstream consumers shouldn't be using our transitive dependencies as the sole source of versioning if they use the dependencies directly. Those projects are expected to declare the dependency and bump it to a newer version themselves if they use it directly. The same is true of CVEs in the libraries used for converters or adapters. The next release will probably be in a month or two when the new Jackson 3 converter is finally merged. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the quick response Jack. |
Beta Was this translation helpful? Give feedback.
We only do immediate releases if we're susceptible to the actual problem (which is almost never the case). Downstream consumers shouldn't be using our transitive dependencies as the sole source of versioning if they use the dependencies directly. Those projects are expected to declare the dependency and bump it to a newer version themselves if they use it directly.
The same is true of CVEs in the libraries used for converters or adapters.
The next release will probably be in a month or two when the new Jackson 3 converter is finally merged.