Upgrade weld-se-core:3.1.1.final dependency of helidon 1.4.7 to latest #2650
Comments
|
We plan on updating the dependencies in 1.4.X to more closely align with what is in 2.2.X (see #2566). So that means the first step will likely be to upgrade to 3.1.4.Final. That should address the CVE. I don't have a date for this yet, but it should be fairly soon. We will be evaluating 4.X, but I imagine we will stay on the 3.1.X line a bit longer to give 4.X some soak time. |
|
@barchetta Weld v4.x uses |
|
@dansiviter You are correct. Weld 4.x is not an option for Helidon 1.4.x. |
|
We won't be upgrading to Weld 4.x for a while due to incompatibilities with current MicroProfile specifications. For now we will be upgrading Weld to 3.1.4.Final in 1.4.8 to address the CVE (See #2566), and we will be upgrading to the latest 3.x Weld in the future. That is being tracked by issue #2665. Since Weld upgrades are covered by #2566 and #2665 I am closing this issue. |
Environment Details
Hi Team,
We are using helidon-1.4.7 in our project. The dependency weld-se-core:3.1.1.Final was showing up in the owasp scan as a low issue. When analyzing the fix for that we figured out that the dependecy 3.1.1.Final is too old.
I tried to override the version to 4.0.0, but looks like helidon is not compatible with this version. I checked the dependencies of the latest helidon version, even latest helidon uses 3.1.4.Final. I tried upgrading to 3.1.5.Final it works fine but 4.x is not supported by Helidon.
There is also a suggestion from our security lead to use weld-se-core:4.0.0.Final with helidon-1.4.7.
Can you please let us know if this can be fixed, That is provide a support for helidon-1.4.7 to work with weld-se-core:4.0.0.Final. Or if it is already planned share the timelines for the same so that we can communicate the same to our security team.
Regards,
Thammaiah MB
The text was updated successfully, but these errors were encountered: