Dependabot - Apache Sling - Apache Software Foundation
DUE TO SPAM, SIGN-UP IS DISABLED. Goto
Selfserve wiki signup
and request an account.
Apache Sling
Pages
Blog
Space shortcuts
UML Diagrams
Child pages
Developing for Sling
Dependabot
Browse pages
tachments (0)
Page History
Resolved comments
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Copy Page Tree
Jira links
Dependabot
Created by
Robert Munteanu
, last modified on
Nov 12, 2025
The ASF Infra team has approved and enabled Dependabot on the ASF Github repositories.
In Sling we have
long had a policy of depending on the lowest possible version of the
API, to ensure that our bundles are deployed in the widest possible
range of environments. Therefore the responsibility of ensuring that the environment is secure lies with the assembler and/or deployer of the application, which should make sure that the OSGi bundles they deploy are secure.
Therefore, we will reject pull requests that update dependencies of OSGi bundles.
As an exception, pull requests targeting the following are useful and should be merged:
libraries that are embedded/inlined in OSGi bundles since those will end up deployed directly
dependencies of Maven plug-ins
bundles that are deployed directly in applications like the Sling Starter, the Sling Karaf Features, or the Sling CMS
dependencies of projects written in Node.js
updating the versions of dependencies to be the oldest compatible version that does not have known security vulnerabilities (per the discussion at
this thread
).  This should resolve concerns being identified by security scanning tools and still ensure that our bundles are deployable to the widest possible range of "secure" environments.
It is possible to configure dependabot directly using the .asf.yaml file, see
Git - .asf.yaml features#DependabotAlertsandUpdates
No labels
Overview
Content Tools
Atlassian Confluence Open Source Project License
granted to Apache Software Foundation.
Evaluate Confluence today
Atlassian Confluence
8.5.31
Printed by Atlassian Confluence 8.5.31
Report a bug
Atlassian News
Atlassian
{"serverDuration": 96, "requestCorrelationId": "68d32e9375f11ef7"}