|
|
|
|
|
|
by smarx007
1476 days ago
|
|
|
> but for an enormous class of projects > with the [latest] toolchain update that you just pulled in In my experience, larger projects tend to be VERY conservative with toolchain updates. For example, I have Java JDK 8 (2014), 11 (2018), 17 (2021), and 18 (2022) installed; the larger projects are on JDK 11 or are just migrating from JDK 8 to JDK 11. Newer, smaller projects are on JDK 17, and only experimental projects use JDK 18. > Unfortunately, the reporter isn't experienced at contributing to open source and doesn't want to contribute. One more reason not to chase bleeding edge but to stay on LTS instead. Bottom line, I am not removing Google Guava or Apache Jena from my projects because of a few CVEs they may have every few years. I am not sure I will write more secure and maintainable code. And even if I did, would the stakeholder really benefit from that? |
|
|