Some warnings exist about a vulnerability in Rome, which is used for RSS parsing. For default installations, this isn’t problematic, since the default RSS URL is also within our control.
For users configuring rss.url to a non-default value, this might expose some amount of risk.
v1.19.0 is available, and likely has no breaking changes
v2.1.0 is latest at time of writing, and might be an easy upgrade
We already did some work to lower our dependency on Rome. Finish that work, and don’t use a full-blown RSS stack for a little panel on the Admin homepage.
Some warnings exist about a vulnerability in Rome, which is used for RSS parsing. For default installations, this isn’t problematic, since the default RSS URL is also within our control.
For users configuring
rss.urlto a non-default value, this might expose some amount of risk.https://github.com/rometools/rome/releases shows that
v1.17.0 includes the fix
v1.19.0 is available, and likely has no breaking changes
v2.1.0 is latest at time of writing, and might be an easy upgrade
We already did some work to lower our dependency on Rome. Finish that work, and don’t use a full-blown RSS stack for a little panel on the Admin homepage.