ayushtkn commented on PR #4544: URL: https://github.com/apache/hadoop/pull/4544#issuecomment-1180215296
@pjfanning Yes, that CVE fixed in a released version is a problem. But downstream projects don't have an option I think. There are two dependencies coming in and conflicting, since they have same classes, Jersey upgrade can be a solution at Hadoop, but that also leads to incompatible changes(Our initial assumptions & past experiences). Bunch of details here: https://github.com/apache/hadoop/pull/4461 and in the end here: https://issues.apache.org/jira/browse/HADOOP-18033 It leads to issues with Spark, Tez, Hive & kyuubi(https://github.com/apache/incubator-kyuubi/issues/2904), The Tez jira and other details are also linked in HADOOP-18033. Do let me know your thoughts? Plan is to put in the release notes and flag it may be in the release announcement and so, and re-work the Jackson upgrade along with Jersey without blocking any release lines -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
