Mark release blocker Issues with a Label #6870
Comments
|
A stable Okio release is a major blocker. |
|
Hi @JakeWharton we are also waiting for the 5.x release because security scanners are flagging okhttp because of this CVE. We are getting pressure from our security team to upgrade but we are reluctant to use an alpha release in production. Since Okio is also owned by Square, could you (or anybody else) provide a rough estimate of when we can expect an official 5.x release of okhttp? |
|
Yep - I think that would be included in a 4.9.2 #6741 But the good news is that the analysis of that CVE was that it wasn't called in that form by OkHttp. You'd have to create an OkHttp client, extract the hostname verifier (a public API) then use it outside of the scope of OkHttp to be hit by that bug. |
|
Thanks @yschimke. We will upgrade to that version. Unfortunately our scanner doesn't think that version has a fix - our scanner only points us to the 5.x alpha version. |
|
Hi @yschimke, looking in Maven Central and tags here, I only see 4.9.1 but not 4.9.2 ...? |
|
Sorry for the confusing message. I included "would" as in if we release 4.9.2. |
|
Thanks @yschimke - so my next question then is: do you know when 4.9.2 may get released? |
|
4.9.2 was just released by @swankjesse |
|
Thank you @yschimke @swankjesse |
The 5.0.0-alpha.2 version was released 8 months ago on 2021-01-30. I have reviewed the commit history since then, and the open issues, but it isn't clear to me what is preventing the 5.0.0 release. I am doing this to assess whether the alpha.2 version is suitable for our use now, or whether we need to wait until the official 5.0.0 release.
It would be great if you could create a new Label (e.g. 5.0.0 Blocker, Release Blocker, etc) and assign that to the open Issues that are blocking the release. Thanks!
The text was updated successfully, but these errors were encountered: