-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Take care of ical4j dependencies (Security) #162
Comments
@ArnyminerZ Can you please have a look which libraries this is about and which versions would fix it? We can add the dependencies as a separate section in build.gradle, something like "// Bump dependencies from ical4j". Maybe we can also exclude some unneeded ones. Then we will also have to see which dependencies are compatible with Android 7, which is the minimum SDK of DAVx5. I'd say we also increase the minimum SDK of ical4android to Android 7. |
We are using ical4j 3.2.19, which has the following dependencies. According to the Maven Repository, the dependencies that have updates available are:
I'll try first excluding them all, and see if anything breaks. Otherwise I'll try updating them. |
Hm the security issues persist… shouldn't they be closed automatically? |
I'm not sure, but none of them are related to the ones we have skipped, right? They are |
Maybe we can tweak the dependency generation to skip build dependencies (as they're not a security risk to users of the app – or did I forget something?). Reason for our problem: https://community.gradle.org/github-actions/docs/dependency-submission-faq/#im-getting-many-false-positive-dependabot-alerts-for-dependencies-that-arent-used-by-my-project-why-are-these-dependencies-being-reported |
I have set the dependency graph-generating task to |
We should analyze the ical4j dependencies and then upgrade to the latest possible version (considering the Android SDK level) to get rid of the automatically generated Security issues.
For issues that don't go away with this, we can analyze them manually and explicitly fix/dismiss them.
The text was updated successfully, but these errors were encountered: