Question about dependencies in term of their EOL

[synergiator]

Hi there,

as far as I can see, Overleaf depends on these components:

• Redis 5.0
• Mongo DB 3.6

According to the following sources, these versions have the following EOL (End of Life) dates, which possibly means there will be no more security updates. This could become a security problem.

• Redis 5.0: EOL since May 31, 2019
• Mongo 3.6: upcoming EOL due April 2021

What are current migration plans?

https://docs.redislabs.com/latest/rs/administering/product-lifecycle/ https://www.mongodb.com/support-policy

[mserranom]

I've updated the documentation to reflect Overleaf depends on Redis 5.x (which is not EOL), as defined in the compose file.

[d1nuc0m]

@mserranom Again the same problem:

• MongoDB 4.2 is going EOL in April 2023 (one month left) [source]
• Redis 5.x is EOL as of 31 October 2021, more than a year ago [source]

[d1nuc0m]

Also pinging @aeaton-overleaf @timothee-alby @emcsween

[emcsween]

Hi @d1nuc0m. Thanks for the heads up! The latest version of Overleaf actually runs on MongoDB 4.4, as you can see in the docker-compose file. I've updated the documentation to clarify that fact.

You're right that the same docker-compose file pulls Redis 5.x. Overleaf should run fine on Redis 6.x. We'll look at making that upgrade.

[d1nuc0m]

Overleaf should run fine on Redis 6.x. We'll look at making that upgrade. Thank you, I'll wait for a confirmation

[das7pad]

Hello,

The docker-compose file references redis:6.2 now, which is the latest version on the 6.x release line, which is still supported by Redis until the release of redis 8.x.

Greetings, Jakob