Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement] Dependency updates welcome? #1727

Open
reneleonhardt opened this issue Aug 6, 2024 · 2 comments
Open

[Enhancement] Dependency updates welcome? #1727

reneleonhardt opened this issue Aug 6, 2024 · 2 comments
Labels
enhancement New feature or request Stale

Comments

@reneleonhardt
Copy link

Who is this for and what problem do they have today?

AutoMQ users facing bugs and security vulnerabilities caused by old dependencies and Docker images.

Why is solving this problem impactful?

I guess most code is still coming from Kafka upstream, that would explain the large technical debt (many outdated versions).
Updating as many dependencies and Docker images as possible does not only fix security vulnerabilities, but also fixes other bugs and allows using new features.
Just look at a current trivy scan of confluentinc/cp-kafka to see how many months they wait until updating a single dependency...

Additional notes

If updates are welcome in this project (for example you updated minJavaVersion 5 months ago) I could provide a first PR with what updates I can find and a Dependabot config to automate this tedious process in the future.
Just by looking for a minute through main I saw already dozens of updates (i.e. kafka 3.7.1 and 3.8.0, Guava, JDK, GraalVM, Gradle, Maven, ...).

@reneleonhardt reneleonhardt added the enhancement New feature or request label Aug 6, 2024
@superhx
Copy link
Collaborator

superhx commented Aug 14, 2024

Updating dependencies is not just about updating versions; it is a more complex task that requires additional effort in compatibility adaptation, performance regression, and other preparatory tasks.
The dependencies of Apache Kafka upstream have been verified by a large number of users in the community, so AutoMQ currently adopts a dependency version update strategy that follows Apache Kafka upstream.

@reneleonhardt
Copy link
Author

I see, maybe you want to make these invisible barriers preventing reducing technical debt more transparent by writing tests showing that performance is "100%" now with those old dependencies, so updates that reduce performance can be identified automatically?
That all major frameworks are compatible like Spring Boot 3.3 + Spring Kafka 3.2 + Spring Cloud Stream 4.1 and Quarkus 3.13 + SmallRye Reactive Messaging 4.18 and Micronaut 4.6 + Micronaut Kafka 5.5 to automatically show that an dependency update breaks compatibility in one component?

And performance and compatibility which can't be improved by updates outweigh security risks for your users because of years of technical debt?
https://www.veracode.com/resources/state-software-security-2024-addressing-threat-security-debt

$ docker pull automqinc/automq:1.1.2-rc0
$ trivy image --scanners vuln automqinc/automq:1.1.2-rc0
automqinc/automq:1.1.2-rc0 (debian 11.3)
========================================
Total: 1451 (UNKNOWN: 0, LOW: 946, MEDIUM: 184, HIGH: 278, CRITICAL: 43)

Updating Debian 11.3 (2.5 years old) to 12.6 (2 months old) would fix hundreds of vulnerabilities alone, leaving Java with 1 easy update fixing 2 vulnerabilities... but it's impossible because netty-codec-http 4.1.108 is slow and incompatible to 4.1.94? 🤔

Library Vulnerability Severity
io.netty:netty-codec-http CVE-2024-29025 MEDIUM
(netty-codec-http-4.1.100.Final.jar)
io.netty:netty-codec-http
(netty-codec-http-4.1.94.Final.jar)
io.netty:netty-codec-http2 GHSA-xpw8-rcwv-8f8p HIGH
(netty-codec-http2-4.1.94.Final.jar)

@github-actions github-actions bot added the Stale label Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Stale
Projects
None yet
Development

No branches or pull requests

2 participants