-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
ivy version 2.4.0 used by groovy-event-listener plugin contains security vulnerabilities.
Request is to Bump org.apache.ivy:ivy from 2.4.0 to 2.5.2
https://github.com/jenkinsci/groovy-events-listener-plugin/pull/78
[JENKINS-72704] Bump org.apache.ivy:ivy from 2.4.0 to 2.5.2
Priyank
added a comment - Mark, is there any way in which we can check the priority from plugin maintainers on this?
Meanwhile, let me try and spend some time to analyse and see if I can fix the issue. Thank you for providing with the guide, I'll follow it and try to contribute.
Priyank
added a comment - Mark, is there any way in which we can check the priority from plugin maintainers on this?
Meanwhile, let me try and spend some time to analyse and see if I can fix the issue. Thank you for providing with the guide, I'll follow it and try to contribute. priyank_s you can ask the maintainers on the open pull request, but since they have not merged the most recent 2 pull requests from Dependabot, I assume they are choosing to not maintain the plugin. I suspect that the current maintainers would welcome the help from an additional maintainer.
If you're going to ask the status, you might also get better results if you also ask if the current maintainers would be willing to coach you as an additional maintainer.
priyank_s the Dependabot pull request proposing that upgrade has been open since Oct 2023 without any action from the plugin maintainers. The pull request has failing tests that someone will need to investigate.
If your organization depends on the groovy events listener plugin, then you should propose to your organization that they allow you to spend some time maintaining that plugin. You can fix the failing tests in that pull request, test with Apache Ivy 2.5.2, and prepare it for a release. The plugin has already received most of the improvements suggested in "Improve a plugin", so it is in a good place for another person to help with the plugin.