My only concern about removal in 5.1 would be that removing it in a “minor” release would really be a breaking change, and semver says that should happen in a major version.
If we really want to be semver compliant, it shouldn’t be removed until 6.0 (or, if we remove it in the next release, we should call that 6.0, but that conflicts with the idea of a “yearly major” so I’m not sure where we land at the end of the day). Doug > On Aug 16, 2023, at 4:14 PM, Abe Ratnofsky <a...@aber.io> wrote: > > There's consensus here to deprecate metrics-reporter-config in 5.0. > > Is there any objection to removing it in 5.1? > >> On Aug 11, 2023, at 10:01 AM, Maxim Muzafarov <mmu...@apache.org> wrote: >> >> +1 >> >> The rationale for deprecating/removing this library is not just that >> it is obsolete and doesn't get updates. In fact, when the >> metrics-reporter-config [1] was added the dropwizard metrics library >> (formerly com.yammer.metrics [2]) didn't support exporting metrics to >> files like csv, so it made sense at that time. Now it is fully covered >> by the drowpwizrd reporters [3], so users can achieve the same >> behaviour without the need for metrics-reporter-config. And that's why >> I have a lot of doubts about it being used by anyone, but deprecation >> is friendlier because there's no rush to remove it. :-) >> >> >> [1] https://issues.apache.org/jira/browse/CASSANDRA-4430 >> [2] https://issues.apache.org/jira/browse/CASSANDRA-5838 >> [3] https://metrics.dropwizard.io/4.2.0/getting-started.html#other-reporting >> >> On Fri, 11 Aug 2023 at 16:50, Caleb Rackliffe <calebrackli...@gmail.com> >> wrote: >>> >>> +1 >>> >>>> On Aug 11, 2023, at 8:10 AM, Brandon Williams <dri...@gmail.com> wrote: >>>> >>>> +1 >>>> >>>> Kind Regards, >>>> Brandon >>>> >>>>> On Fri, Aug 11, 2023 at 8:08 AM Ekaterina Dimitrova >>>>> <e.dimitr...@gmail.com> wrote: >>>>> >>>>> >>>>> “ The rationale for this proposed deprecation is that the upcoming 5.0 >>>>> release is a good time to evaluate dependencies that are no longer >>>>> receiving updates and will become risks in the future.” >>>>> >>>>> Thank you for raising it, I support your proposal for deprecation >>>>> >>>>>> On Fri, 11 Aug 2023 at 8:55, Abe Ratnofsky <a...@aber.io> wrote: >>>>>> >>>>>> Hey folks, >>>>>> >>>>>> Opening a thread to get input on a proposed dependency deprecation in >>>>>> 5.0: metrics-reporter-config has been archived for 3 years and not >>>>>> updated in nearly 6 years. >>>>>> >>>>>> This project has a minor security issue with its usage of unsafe YAML >>>>>> loading via snakeyaml’s unprotected Constructor: >>>>>> https://nvd.nist.gov/vuln/detail/CVE-2022-1471 >>>>>> >>>>>> This CVE is reasonable to suppress, since operators should be able to >>>>>> trust their YAML configuration files. >>>>>> >>>>>> The rationale for this proposed deprecation is that the upcoming 5.0 >>>>>> release is a good time to evaluate dependencies that are no longer >>>>>> receiving updates and will become risks in the future. >>>>>> >>>>>> https://issues.apache.org/jira/browse/CASSANDRA-18743 >>>>>> >>>>>> — >>>>>> Abe >>>>>> >
