If you believe you have found a vulnerability please report it responsibly. IBM has documented the process for reporting vulnerabilities at https://www.ibm.com/trust/security-psirt.

The SDK is regularly scanned for known CVEs in dependencies and updates to versions with remediations are applied and released as soon as possible. Reporting known CVEs in dependencies in this repository is not necessary and will not lead to a faster resolution.