Wei-Chiu Chuang created HADOOP-16485:
----------------------------------------
Summary: Remove dependency on jackson
Key: HADOOP-16485
URL: https://issues.apache.org/jira/browse/HADOOP-16485
Project: Hadoop Common
Issue Type: Improvement
Reporter: Wei-Chiu Chuang
Looking at git history, there were 5 commits related to updating jackson
versions due to various CVEs since 2018. And it seems to get worse more
recently.
File this jira to discuss the possibility of removing jackson dependency once
for all. I see that jackson is deeply integrated into Hadoop codebase, so not a
trivial task. However, if Hadoop is forced to make a new set of releases
because of Jackson vulnerabilities, it may start to look not so costly.
At the very least, consider stripping jackson-databind coode, since that's
where the majority of CVEs come from.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
