We probably don't need to do an initial vote on this :D Fixing CVEs is probably a compelling enought reason to do this!
But if anybody thinks this is a bad idea, needs anything specific for 1.11.2 or wants to help review / resolve some of these PRs marked for 1.11.2, I'd love to hear about it. In any case, I'm definitely going to propose a release shadowing session (maybe recorded?) that I didn't deliver in 1.11.1 ! All my best, Ryan On Fri, Nov 4, 2022 at 7:45 PM Martin Grigorov <[email protected]> wrote: > > +1 for 1.11.2 > > IMO Jackson could be upgraded to 2.13.x only for 1.12.0. > 2.12.7 is not affected by the CVEs > > On Fri, Nov 4, 2022, 20:07 Ryan Skraba <[email protected]> wrote: > > > It looks like there's been a couple of CVE fixes in dependencies that > > we might want to have! See AVRO-3656, and perhaps AVRO-3658 (not yet > > merged, bumping to jackson 2.13, which might have breaking changes). > > > > We've been cherry-picking pretty nicely so the branch is in a pretty > > good state, with just a few Unresolved issues (mostly with existing > > PRs that need some committer attention!) that have been marked for > > 1.11.2 > > > > What do you think? > > > > Ryan > > > > [1] > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20AVRO%20AND%20fixVersion%20%3D%201.11.2%20%20AND%20status%20!%3D%20Resolved > >
