I was exploring the HWC-API codebase to understand how the backend is structured, and while going through pom.xml I noticed the project is still on Spring Boot 1.5.3.RELEASE. this version reached end-of-life, so it hasn't been getting security patches for a while now.
xml
<version>1.5.3.RELEASE</version>
<java.version>1.8</java.version>
It's not just Spring Boot though,there are a few other dependencies in there that are pretty far behind:
- spring-data-redis 1.7.11- current stable is 3.x
- guava 21.0 - current is 33.x
- springfox-swagger 2.6.1 - this project has been abandoned, last release was in 2020
- lettuce 3.5.0 under the old biz.paluch.redis groupId - this was moved to io.lettuce and the old one doesn't get updates anymore
- hapi-fhir 3.8.0 - current is 7.x
given that AMRIT handles patient health records,i think it's worth documenting what's outdated and what carries the most risk.a full upgrade from 1.5 to 3.x is obviously a big undertaking, but having a clear picture of where things stand would help plan it out.
what I'd like to do:add a DEPENDENCY_AUDIT.md to the repo that lists each outdated dependency, what the latest version is, and flags the ones with known security issues. I'll also outline what an incremental upgrade path could look like (1.5 → 2.x → 3.x).
happy to send a PR for this.
let me know if there are any constraints i should be aware of.
I was exploring the HWC-API codebase to understand how the backend is structured, and while going through pom.xml I noticed the project is still on Spring Boot 1.5.3.RELEASE. this version reached end-of-life, so it hasn't been getting security patches for a while now.
It's not just Spring Boot though,there are a few other dependencies in there that are pretty far behind:
given that AMRIT handles patient health records,i think it's worth documenting what's outdated and what carries the most risk.a full upgrade from 1.5 to 3.x is obviously a big undertaking, but having a clear picture of where things stand would help plan it out.
what I'd like to do:add a DEPENDENCY_AUDIT.md to the repo that lists each outdated dependency, what the latest version is, and flags the ones with known security issues. I'll also outline what an incremental upgrade path could look like (1.5 → 2.x → 3.x).
happy to send a PR for this.
let me know if there are any constraints i should be aware of.