Call for Contributors to Address Dependency Security Vulnerabilities

[slievrly]

Hi Seata Community,

As you are aware, Seata is a transaction middleware designed to ensure data consistency across various resources. Its extensive extension mechanisms allow plug-in support for storage, RPC, database, and configuration registry.

With such a broad scope of functionalities, Seata inherently relies on numerous third-party dependencies. These dependencies are often the subject of reported security vulnerabilities over time. It is in this context that I am reaching out to the community to rally our collective effort in addressing these critical security concerns.

We need proactive participation from contributors like you to help patch these vulnerabilities, ensuring that any upgrades or replacements maintain the compatibility and integrity of Seata's features. Our commitment to dependency security is unwavering; we have successfully remediated over 200 dependency vulnerabilities to date.

We have set up a dedicated project[1] to track and address these security vulnerabilities. I earnestly hope that you will appreciate the gravity of these security issues and join us in our endeavor to resolve them. Our primary focus at the moment is on the Seata, seata-go, and the official Seata website projects.

Here are the recent updates on our progress:

1. Thanks to the monumental efforts of liuqiufeng[2] and ptyin[3], the reconstruction of the saga designer framework and a wide-scale upgrade of dependencies have reduced the number of front-end vulnerabilities in the incubator-seata project to 25. However, we still have over 50 back-end vulnerabilities that need attention.

2. The security vulnerabilities on the Seata official website were significantly diminished from over 50 to less than 10, through an upgrade to the docusaurus from the docsite framework. Special thanks to chai001125[4] for this achievement.

We invite you to join our fix plan and help make Seata safer and more reliable. Your expertise and contributions are invaluable to our community, and together, we can ensure a more secure environment for all Seata users.

To participate or for more information on how you can help, please reply to this issue.

Thank you for your dedication to the Seata community and for considering this important initiative. Let's work together to continue to safeguard our technology.

[1]. https://github.com/apache/incubator-seata/projects/12
[2]. https://github.com/liuqiufeng
[3]. https://github.com/ptyin
[4]. https://github.com/chai001125