alt Hacker NewsIts important to maintain your dependencies, by say embedding Lua, rather than rebranding it and then claiming you have no security flaws.
If I can find a CVE that _may_ affect the stack in five minutes, what _actual_ problems lurk there?
You vendor Lua - thus, it _is_ your responsibility to review every Lua CVE. You've set yourself up as the maintainer by vendoring.
Replies
selectively • yesterday at 11:11 PM
[flagged]
You weren’t replying to me. The parent poster made a good point—a vulnerability in Lua doesn’t mean software running Lua can necessarily be exploited—but, more to the point, I do update Lunacy and make sure it’s secure, just as I still take responsibility for verified important security holes in MaraDNS.
See this, for example:
https://samboy.github.io/MaraDNS/webpage/security.html#CVE-2...