We are using dependency spring-cloud-starter-netflix-eureka-client in our project, there are few internal dependencies coming from same, like commons-lang-2.6., commons-configuration-1.10., servlet-api.2.5, evictor-1.0.0, dexx-collections-0.2. and xmlpull-1.3.1 which gives Policy violation. Are we planning to exclude these dependencies from spring-cloud-starter-netflix-eureka-client in near future or use some alternate dependencies for them. If yes, when?
Comment From: OlgaMaciaszek
Hello @amitKChoudhary, thanks for creating the issue. This seems like some kind of internal policy? I assume some of those libraries are listed in your policy because there are newer replacements from them or because there haven't been new releases in a while. It might make sense to switch, however, all of them other than evictor are transitive dependencies from https://github.com/Netflix/eureka, so you might want to create an issue there or work with them through submitting a PR. When it comes to evictor, that's used by Spring Cloud Commons and we may consider replacing this in the future. In any case, there are no vulnerabilities listed under the versions of those dependencies included in our projects, so this is not a priority.
Comment From: spring-cloud-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.