Hello Vincent,

It depends on your future Strategy. Cocoon is very flexible. We've been running Cocoon 3.0-beta in production with Tomcat9/10, Quarkus and even Kubernetes 1.20 etc. No problems at all :)
with Java 8 :) We cannot switch to Java 11, because it's not compatible with Cocoon libraries anymore :( That's the only obstacle.
Maybe someone could "update" cocoon stack to use Java 11 LTS JVM? Or now 17 LTS? :)

As long as it does its job, Cocoon is fine! Although the amount of pipelines that are still in use in our Cocoon deployments decreased in time.
We switched to Vue.js framework as frontend and Spring-Boot 2 as backend technologies, all running on Kubernetes multi-clusters.
Both Vue and Spring-Boot 2 are very lightweight and suit our needs better (to build Web-Portals) than Cocoon. Even though we still use Cocoon for some integration stuff and fast
proxy/gateway to many "old" services or database access.


pon., 19 lip 2021 o 14:03 Vincent Neyt <vincent.neyt@gmail.com> napisał(a):
Hi Cocoon users,

I'd like to ask your opinion on the long-term security risks of running Cocoon on a server. The colleague responsible for the servers at my university is inquiring if the software I'm using for my website is up to date and is concerned that I'm using outdated software that could in the future pose a security risk.

I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13 without many problems. But I'm concerned about the long-term, and wondering if it would perhaps be better to reprogram the website I've been working on for 10 years into eXist DB (which would be a huge time investment). I like cocoon very much and would love to continue using it if it's possible.

I'm curious to hear your thoughts about using Cocoon 2.1 for the long term: will it still work well inside future versions of servlet containers like Tomcat? What about the java dependencies? And will cocoon 2.1 continue to put out updates when security risks are identified?

thanks very much,