+1 The rationale for deprecating/removing this library is not just that it is obsolete and doesn't get updates. In fact, when the metrics-reporter-config [1] was added the dropwizard metrics library (formerly com.yammer.metrics [2]) didn't support exporting metrics to files like csv, so it made sense at that time. Now it is fully covered by the drowpwizrd reporters [3], so users can achieve the same behaviour without the need for metrics-reporter-config. And that's why I have a lot of doubts about it being used by anyone, but deprecation is friendlier because there's no rush to remove it. :-)
[1] https://issues.apache.org/jira/browse/CASSANDRA-4430 [2] https://issues.apache.org/jira/browse/CASSANDRA-5838 [3] https://metrics.dropwizard.io/4.2.0/getting-started.html#other-reporting On Fri, 11 Aug 2023 at 16:50, Caleb Rackliffe <calebrackli...@gmail.com> wrote: > > +1 > > > On Aug 11, 2023, at 8:10 AM, Brandon Williams <dri...@gmail.com> wrote: > > > > +1 > > > > Kind Regards, > > Brandon > > > >> On Fri, Aug 11, 2023 at 8:08 AM Ekaterina Dimitrova > >> <e.dimitr...@gmail.com> wrote: > >> > >> > >> “ The rationale for this proposed deprecation is that the upcoming 5.0 > >> release is a good time to evaluate dependencies that are no longer > >> receiving updates and will become risks in the future.” > >> > >> Thank you for raising it, I support your proposal for deprecation > >> > >>> On Fri, 11 Aug 2023 at 8:55, Abe Ratnofsky <a...@aber.io> wrote: > >>> > >>> Hey folks, > >>> > >>> Opening a thread to get input on a proposed dependency deprecation in > >>> 5.0: metrics-reporter-config has been archived for 3 years and not > >>> updated in nearly 6 years. > >>> > >>> This project has a minor security issue with its usage of unsafe YAML > >>> loading via snakeyaml’s unprotected Constructor: > >>> https://nvd.nist.gov/vuln/detail/CVE-2022-1471 > >>> > >>> This CVE is reasonable to suppress, since operators should be able to > >>> trust their YAML configuration files. > >>> > >>> The rationale for this proposed deprecation is that the upcoming 5.0 > >>> release is a good time to evaluate dependencies that are no longer > >>> receiving updates and will become risks in the future. > >>> > >>> https://issues.apache.org/jira/browse/CASSANDRA-18743 > >>> > >>> — > >>> Abe > >>>
