-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update cve vuln #16967
Update cve vuln #16967
Conversation
Signed-off-by: fengshunli <1171313930@qq.com>
Thank you for your pull request. |
CLA has been signed @Xenorith |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for flagging the vulnerable dependencies and their appropriate version to update to. unfortunately we would not be able to accept all your changes without more validation, but please do raise individual PRs for the less impactful dependencies
@@ -130,9 +130,9 @@ | |||
<glusterfs-hadoop.version>2.3.13</glusterfs-hadoop.version> | |||
<grpc.version>1.37.0</grpc.version> | |||
<gson.version>2.8.9</gson.version> | |||
<netty.version>4.1.52.Final</netty.version> | |||
<netty.version>4.1.86.Final</netty.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
netty is one of the delicate dependencies in the product that could have potential ramifications. we would not be able to take this specific change without extensive testing, in particular around the areas of scale and performance. i would advise to exclude this change from this PR
<rocksdb.version>7.0.3</rocksdb.version> | ||
<hadoop.version>3.3.1</hadoop.version> | ||
<hadoop.version>3.2.3</hadoop.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wouldn't this be a downgrade?
since our filesystem API is based on this hadoop version, this type of change could have unintended consequences that may not be surfaced at the PR level. this needs to be separately scrutinized and would similarly advise excluding from this PR (along with the other hadoop version change)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #17002
@@ -153,7 +153,7 @@ | |||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | |||
<project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp> | |||
<slf4j.version>1.7.30</slf4j.version> | |||
<jackson.version>2.13.3</jackson.version> | |||
<jackson.version>2.13.5</jackson.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change looks acceptable. but i would prefer if each version change is self contained so we may merge and evaluate any issues separately, rather than merging several changes all at once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #17000
@@ -40,7 +40,7 @@ | |||
<dependency> | |||
<groupId>org.jsoup</groupId> | |||
<artifactId>jsoup</artifactId> | |||
<version>1.8.3</version> | |||
<version>1.14.2</version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
though it is a large version bump, this is a fairly isolated dependency. i would still like to follow the best practice of separate PRs for version changes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see #17001
closing in favor of independent changes |
What changes are proposed in this pull request?
Please outline the changes and how this PR fixes the issue.
#16968
Why are the changes needed?
Please clarify why the changes are needed. For instance,
Does this PR introduce any user facing changes?
Please list the user-facing changes introduced by your change, including