[jira] [Commented] (CASSJAVA-108) Update org.json (and very likely ESRI) dependency

Wed, 20 Aug 2025 23:33:23 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSJAVA-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18015323#comment-18015323
 ] 

Bret McGuire commented on CASSJAVA-108:
---------------------------------------

An interesting note: since 2.x esri-geometry-api [no longer includes org.json 
as a 
dependency|https://github.com/Esri/geometry-api-java/blame/v2.0.0/pom.xml#L101] 
at all... looks like they're only using Jackson now.

> Update org.json (and very likely ESRI) dependency
> -------------------------------------------------
>
>                 Key: CASSJAVA-108
>                 URL: https://issues.apache.org/jira/browse/CASSJAVA-108
>             Project: Apache Cassandra Java driver
>          Issue Type: Improvement
>            Reporter: Bret McGuire
>            Priority: Normal
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761] 
> to update org.json:json sent me down a bit of a rabbit hole re: our 
> org.json/ESRI story.  First, a bit of context.
>  
> The Java driver doesn't directly use org.json:json.  This lib is actually [a 
> dependency of the ESRI 
> lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
>  we use for supporting geographic types in DSE.  We keep the version of the 
> ESRI dependency fixed so that we're always using the same version used by the 
> server.  org.json:json occasionally has some CVEs of it's own, however, so 
> some time ago we [introduced an explicit dependency on this 
> lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
>  in order to able to version it independently from what ESRI uses.
>  
> The complication is that the server is changing the version of ESRI it uses.  
> As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and 
> the version of org.json:json has been bumped to 20230227.
>  
> I think we're basically stuck with bumping the dependency and mentioning that 
> we might see issues with older versions of DSE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to