[
https://issues.apache.org/jira/browse/CASSJAVA-108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bret McGuire updated CASSJAVA-108:
----------------------------------
Description:
A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761] to
update org.json:json sent me down a bit of a rabbit hole re: our org.json/ESRI
story. First, a bit of context.
The Java driver doesn't directly use org.json:json. This lib is actually [a
dependency of the ESRI
lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
we use for supporting geographic types in DSE. We keep the version of the
ESRI dependency fixed so that we're always using the same version used by the
server. org.json:json occasionally has some CVEs of it's own, however, so some
time ago we [introduced an explicit dependency on this
lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
in order to able to version it independently from what ESRI uses.
The complication is that the server is changing the version of ESRI it uses.
As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and
the version of org.json:json has been bumped to 20230227.
I think we're basically stuck with bumping the dependency and mentioning that
we might see issues with older versions of DSE.
was:
A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761] to
update org.json:json sent me down a bit of a rabbit hole re: how we should
handle updates. First, a bit of context.
The Java driver doesn't directly use org.json:json. This lib is actually [a
dependency of the ESRI
lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
we use for supporting geographic types in DSE. We keep the version of the
ESRI dependency fixed so that we're always using the same version used by the
server. org.json:json occasionally has some CVEs of it's own, however, so some
time ago we [introduced an explicit dependency on this
lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
in order to able to version it independently from what ESRI uses.
The complication is that the server is changing the version of ESRI it uses.
As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and
the version of org.json:json has been bumped to 20230227.
I think we're basically stuck with bumping the dependency and mentioning that
we might see issues with older versions of DSE.
> Update org.json (and very likely ESRI) dependency
> -------------------------------------------------
>
> Key: CASSJAVA-108
> URL: https://issues.apache.org/jira/browse/CASSJAVA-108
> Project: Apache Cassandra Java driver
> Issue Type: Improvement
> Reporter: Bret McGuire
> Priority: Normal
>
> A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761]
> to update org.json:json sent me down a bit of a rabbit hole re: our
> org.json/ESRI story. First, a bit of context.
>
> The Java driver doesn't directly use org.json:json. This lib is actually [a
> dependency of the ESRI
> lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
> we use for supporting geographic types in DSE. We keep the version of the
> ESRI dependency fixed so that we're always using the same version used by the
> server. org.json:json occasionally has some CVEs of it's own, however, so
> some time ago we [introduced an explicit dependency on this
> lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
> in order to able to version it independently from what ESRI uses.
>
> The complication is that the server is changing the version of ESRI it uses.
> As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and
> the version of org.json:json has been bumped to 20230227.
>
> I think we're basically stuck with bumping the dependency and mentioning that
> we might see issues with older versions of DSE.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
