[QUESTION] End of life for security support for Jetty 9.4 #11644
Comments
smesh
changed the title
|
Even Jetty 10 and Jetty 11 is at End of Community Support. You should be using Jetty 12 at this point in time. |
|
@joakime , thank you for responding. For ee8, could I use Java 8 to compile and run? |
That was answered in both links I sent you earlier. Short answer, since you seem to be concerned about security updates, Java 8 is no longer supported by us, and many of our third party dependencies. If you exclude build and test dependencies, there are about 13 dependencies (direct and transitive) that have reached end of life, and have security advisories against them, with no updates available on Java 8. We cannot update those on Jetty 9 anymore, but have updated them on Jetty 12 with its Java 17 minimum JDK requirement. You should also know that many large companies (Google, Amazon, Microsoft, etc) have already dropped Java 8 support on their infrastructure. At this point in time it's less maintenance hassle to upgrade to Java 11 than to stick with Java 8. As the only safe choice is to maintain ALL of your dependencies as forks and keep them up to date with manually applying security vulnerability patches on your own forks just to maintain a vulnerability free set of dependencies on Java 8. We have already discussed internally when we will set Jetty 9 to End of Life, and the leading choice is January 2025 (and this is from the conservative voices, the others wanted Jetty 9 to be End of Life years ago) |
|
@joakime , thank you very much for detailed and valuable explanation. |
On https://endoflife.date/eclipse-jetty security support for Jetty 9.4 looks like continuing (green Yes) without end of life for it. Probably, this information is not current and there is already end of life date for security support for Jetty 9.4?
Sorry, if github issue is not appropriate form for such questions. I will ask in another place, if somebody advise where.
The text was updated successfully, but these errors were encountered: