From an enterprise prospective, If I have to explain why security wins out of “cool”, then there really isn’t more to say.
Tomcat, Last Security Advisory confirmed 1-26-22
Patch available 1-20-22
Command Box (Stable) released 10/ 21
Undertow Security Advisories confirmed (Using Undertow 2.10.final)
Undertow security advisory reported 10-14-21
Security update available (in stable) on 5/6/22
Is your advice to run command-box bleeding edge (BE) to be secure?
Terry, thanks for your concern. I’m not planning on runnilng my production server with Commandbox. At the moment it’s only set up on my dev PC. I’ll have no need to be swiitching back and forth on a single computer for that. I’ll discuss the security set up with VIviotech and others before I set it up there. RIgh tnow I’m just tidying up the sites and making sure they all work with Lucee without breaking. In the process I"ve seen enough things that could do with rework to keep me busy for the rest of the year. But i’ll put them in priority order and takle them as i get to them.
Thanks gain for your concern and your points are well noted, I promise.
Cheers
Mike Kear
Windsor, NSW, Australia
I use Undertow for some of our embedded items. But I’m also competent enough to replace jars when there are security issues, are you saying from an Enterprise perspective, you aren’t?
From an Enterprise perspective, all security is done in layers. I’d expect you to have a WAF, and a load balancer, and a cluster of servers, and be able to replace whatever components need replacing. Layers are there so that the overlapping of the whole solution provides your ultimate security. Brad is literally one guy supporting commandbox, and he does a great job. Plus the entire community, issuing PRs, did you issue a PR against commandbox when you noticed the problem, or file an issue with github?
You did say it was your perspective… as this is just mine.
But, we’re OT. 
We have more than WAFs 
This isn’t against @bdw429s, I LOVE (and I cant stress this enough) Command line tools and Commandbox being a command line tool is cool. Seriously, cool.
and no, I will not file a PR, for this or anything else.