Difficulty detecting security vulnerabilities due to non-submodule dependency

[elvyso]

I want to raise a potential hurdle in effectively detecting security vulnerabilities within the OpenSSL library, which is currently integrated as a dependency deep within the project's dependency tree. While OpenSSL plays a crucial role, its non-submodule structure might pose limitations for certain security scan tools.

Limited visibility into the OpenSSL dependency might hinder comprehensive security assessments, increasing the risk of undetected vulnerabilities and potential exploits.

We would appreciate collaborating with the project maintainers to explore solutions that enhance the visibility of the OpenSSL dependency for security scan tools.

[qzhuyan]

We dont use submodule due to emqx faviours otherwise PR is welcomed if you know what exactly should be done.