Release cadence & vulnerabilities.

[lewis-ashley-c1]

Hi,

Firstly thank you to all of the maintainers and contributors of this library for all of your hard work and efforts. This is a fantastic library.

A question has been raised within my teams around if we should continue using retrofit as people are concerned about the maintainability / lack of regular releases. It is a bit annoying when we add this library to our projects as our vulnerability scanning tools immediately kick off due to the transitive dependencies containing vulnerabilities. This is not the end of the world as we can manually override these to get the tooling happy and more importantly ensure we are not using vulnerable packages. It would be better though if this library was released regularly via automation?

My assumption is that the lack of releases is a symptom of the stability/feature completeness of the API, and vulnerabilities that are being reported are all within transitive dependencies which also negates the necessity of conducting a release?

Are there any plans to release an update in the near future?

Many thanks,

Lewis Ashley

[JakeWharton]

My assumption is that the lack of releases is a symptom of the stability/feature completeness of the API, and vulnerabilities that are being reported are all within transitive dependencies which also negates the necessity of conducting a release?

Yes, this is mostly correct. Retrofit has been largely done for years now.

Are there things that could be added? Probably. Will we add them eventually? Maybe.

Are there still bugs inside Retrofit? Probably. We fix them whenever they come up, and that's usually when there's a release.

Aside from that, we will be staying on an old version of OkHttp for a while because it was rewritten in Kotlin and I'm not going to inflict the Kotlin dependency on our users without a major version bump of our own. The plan is here. However, for the time being, this will trigger your vulnerability scanning tools. You can and should update OkHttp, Okio, and serialization libraries yourself. If we had to release Retrofit every time one of our dependencies did a release we would be forced to do them constantly because we offer integrations with so many things.

Are there any plans to release an update in the near future?

There have been no changes that necessitate a release that I can see: 2.11.0...trunk

Are you waiting on something?