[jira] [Updated] (CASSJAVA-108) Update org.json (and very likely ESRI) dependency

Tue, 13 Jan 2026 18:08:09 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSJAVA-108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bret McGuire updated CASSJAVA-108:
----------------------------------
    Change Category: Operability
         Complexity: Normal
        Component/s: Core
             Status: Open  (was: Triage Needed)

> Update org.json (and very likely ESRI) dependency
> -------------------------------------------------
>
>                 Key: CASSJAVA-108
>                 URL: https://issues.apache.org/jira/browse/CASSJAVA-108
>             Project: Apache Cassandra Java driver
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Bret McGuire
>            Assignee: Bret McGuire
>            Priority: Normal
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761] 
> to update org.json:json sent me down a bit of a rabbit hole re: our 
> org.json/ESRI story.  First, a bit of context.
>  
> The Java driver doesn't directly use org.json:json.  This lib is actually [a 
> dependency of the ESRI 
> lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
>  we use for supporting geographic types in DSE.  We keep the version of the 
> ESRI dependency fixed so that we're always using the same version used by the 
> server.  org.json:json occasionally has some CVEs of it's own, however, so 
> some time ago we [introduced an explicit dependency on this 
> lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
>  in order to able to version it independently from what ESRI uses.
>  
> The complication is that the server is changing the version of ESRI it uses.  
> As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and 
> the version of org.json:json has been bumped to 20230227.
>  
> I think we're basically stuck with bumping the dependency and mentioning that 
> we might see issues with older versions of DSE.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to