+1 Kind Regards, Brandon
On Fri, Aug 11, 2023 at 8:08 AM Ekaterina Dimitrova <e.dimitr...@gmail.com> wrote: > > > “ The rationale for this proposed deprecation is that the upcoming 5.0 > release is a good time to evaluate dependencies that are no longer receiving > updates and will become risks in the future.” > > Thank you for raising it, I support your proposal for deprecation > > On Fri, 11 Aug 2023 at 8:55, Abe Ratnofsky <a...@aber.io> wrote: >> >> Hey folks, >> >> Opening a thread to get input on a proposed dependency deprecation in 5.0: >> metrics-reporter-config has been archived for 3 years and not updated in >> nearly 6 years. >> >> This project has a minor security issue with its usage of unsafe YAML >> loading via snakeyaml’s unprotected Constructor: >> https://nvd.nist.gov/vuln/detail/CVE-2022-1471 >> >> This CVE is reasonable to suppress, since operators should be able to trust >> their YAML configuration files. >> >> The rationale for this proposed deprecation is that the upcoming 5.0 release >> is a good time to evaluate dependencies that are no longer receiving updates >> and will become risks in the future. >> >> https://issues.apache.org/jira/browse/CASSANDRA-18743 >> >> — >> Abe >>
