@cereal @lan mixed feelings here. most H2 users aren't vulernable, the issue is that shitty CVE scanners just see H2 in your depdendencies and match it with a CVE and mark it as a critical vulnerability. you're only vulnerable if you use the library in a nonstandard way.

On the other hand why are they so resistant to removing that command line option, the CVE is absolutely correct

it would take little effort if corporations wanted to pay just a little money, to make a downstream fork of H2 that does NOTHING but remove that CLI option and they'll avoid the CVE so they should just DO THAT