Update cve vuln #16967
Update cve vuln #16967
Conversation
Signed-off-by: fengshunli <1171313930@qq.com>
|
Thank you for your pull request. |
|
CLA has been signed @Xenorith |
| @@ -130,9 +130,9 @@ | |||
| <glusterfs-hadoop.version>2.3.13</glusterfs-hadoop.version> | |||
| <grpc.version>1.37.0</grpc.version> | |||
| <gson.version>2.8.9</gson.version> | |||
| <netty.version>4.1.52.Final</netty.version> | |||
| <netty.version>4.1.86.Final</netty.version> | |||
There was a problem hiding this comment.
netty is one of the delicate dependencies in the product that could have potential ramifications. we would not be able to take this specific change without extensive testing, in particular around the areas of scale and performance. i would advise to exclude this change from this PR
| <rocksdb.version>7.0.3</rocksdb.version> | ||
| <hadoop.version>3.3.1</hadoop.version> | ||
| <hadoop.version>3.2.3</hadoop.version> |
There was a problem hiding this comment.
wouldn't this be a downgrade?
since our filesystem API is based on this hadoop version, this type of change could have unintended consequences that may not be surfaced at the PR level. this needs to be separately scrutinized and would similarly advise excluding from this PR (along with the other hadoop version change)
| @@ -153,7 +153,7 @@ | |||
| <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | |||
| <project.build.outputTimestamp>${git.commit.time}</project.build.outputTimestamp> | |||
| <slf4j.version>1.7.30</slf4j.version> | |||
| <jackson.version>2.13.3</jackson.version> | |||
| <jackson.version>2.13.5</jackson.version> | |||
There was a problem hiding this comment.
this change looks acceptable. but i would prefer if each version change is self contained so we may merge and evaluate any issues separately, rather than merging several changes all at once.
| @@ -40,7 +40,7 @@ | |||
| <dependency> | |||
| <groupId>org.jsoup</groupId> | |||
| <artifactId>jsoup</artifactId> | |||
| <version>1.8.3</version> | |||
| <version>1.14.2</version> | |||
There was a problem hiding this comment.
though it is a large version bump, this is a fairly isolated dependency. i would still like to follow the best practice of separate PRs for version changes
|
closing in favor of independent changes |
What changes are proposed in this pull request?
Please outline the changes and how this PR fixes the issue.
#16968
Why are the changes needed?
Please clarify why the changes are needed. For instance,
Does this PR introduce any user facing changes?
Please list the user-facing changes introduced by your change, including