Hi,
We are checking out projects with the OWASP dependency checker and it is reporting several vulnerabilities in the dependencies of the latest release of axon framework. Some dependencies are quite all GRPC and Guava.
could you please update your dependencies in the next release?
Regards
Hi Victor,
Thanks for marking this concern with us, that’s much appreciated.
I still have a couple of questions regarding your concern though, which I hope you can answer.
Firstly, what version are you talking about?
I am assuming the latest version of Axon Framework, but it would be valuable to know.
Second to that, would you be able to share your findings by creating an issue on the framework’s GitHub page?
Especially vulnerability concerns like this are best suited to be put up there.
The intent of the user group is to discuss approaches or problems regarding the framework, whilst your point more so feels like a concern which should be picked up ASAP.
In that sense, adding an issue is justified if you ask me.
Lastly, if you add the issue, would you be able to specify the exact dependencies which are out of date?
Cheers,
Steven van Beelen
Axon Framework Lead Developer