|
|
|
|
|
|
by politelemon
1063 days ago
|
|
|
> the CVE itself is bogus and we don't use that part of the dependency. A trend I'm noticing, compliance and infosec teams only caring about checklists and not able to understand nuances of CVEs. They only see the number. Thus the boneheaded pursuit and odd expectations spilling into the open source ecosystem. |
|
|
Anything regulated / FedRAMP etc has timelines for security issues and they simply don't care how you can explain it. It's just 'fix it'.