Hi all, I am not sure if this is the best channel for this, but i have opened this ticket a few days ago: https://github.com/osquery/osquery/issues/7494 . I would like to get your point of view on the criticality of those vulnerabilities and if you think they qualify to get a new release with those dependencies upgraded. Reading on the ASSURANCE.md document, i read that some of the vulnerabilities may not affect osquery for one or other reason but i am not smart enough to understand when they do or they not. The fact is that our tool (we are using SNYK) reports back 4 CRITICAL and 21 HIGH vulnerabilities which does not look really good. If they are so, would you be open to release a new osquery version sooner with those dependecies upgraded? Thanks!

Hi Juan The maintainers are meeting tomorrow morning to discuss these. We've looked into the CVEs in these dependencies and don't yet see that they impact osquery, but you're not the only one to want to see the dependencies updated. Hopefully we can offer you a timeline for an update after tomorrow's office hours

Thank you 🙏

As a follow-up, the plan is to update 2 to 4 of the dependencies immediately, then evaluate which of the others can be updated without affecting compatibility with older platforms. If needed, we can deprecate support for those. We scheduled the release of osquery for April 1

@Mike Myers thanks for the update, really appreciated