[
https://issues.apache.org/jira/browse/CASSANDRA-20314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940826#comment-17940826
]
Stefan Miklosovic commented on CASSANDRA-20314:
-----------------------------------------------
We do pull it but we are not shipping it, we are deleting it here
https://github.com/apache/cassandra/blob/trunk/.build/build-resolver.xml#L254-L255
The reason why we do it like that is that when you declare
netty-tcnative-boringssl-static in parent-pom-template.xml, under normal
circumstances you might exclude some dependencies that artifact itself depends
on, but netty-tcnative-boringssl-static is special in such a way that its
platform-specific dependencies it contains share same group and artifact id,
they only differ on "classifier". But if you tried to exclude such a dependency
like this, it would fail to build it. IDEA actually marks "classifier" as
illegal element.
{code}
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<version>2.0.70.Final</version>
<exclusions>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-tcnative-boringssl-static</artifactId>
<classifier>windows-x86_64</classifier>
</exclusion>
</exclusions>
</dependency>
{code}
So the next best thing is to just remove it manually so it is not among the
jars we ship.
> Upgrade Netty to 4.1.119.Final and netty-tcnative to 2.0.70.Final
> ------------------------------------------------------------------
>
> Key: CASSANDRA-20314
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20314
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Dmitry Konstantinov
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 5.0.4, 5.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Upgrade netty and netty-tcnative to get security fixes:
> * [https://netty.io/news/2025/02/10/4-1-118-Final.html]
> *
> [https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw|https://netty.io/news/2025/02/10/4-1-118-Final.html]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]