Chesnay Schepler created FLINK-15540:
----------------------------------------
Summary: flink-shaded-hadoop-2-uber bundles wrong dependency
versions
Key: FLINK-15540
URL: https://issues.apache.org/jira/browse/FLINK-15540
Project: Flink
Issue Type: Bug
Components: BuildSystem / Shaded
Affects Versions: shaded-9.0
Reporter: Chesnay Schepler
Assignee: Chesnay Schepler
Fix For: shaded-10.0
For legacy reasons flink-shaded contains 2 modules for hadoop:
flink-shaded-hadoop-2, defining the core dependencies and versions via
dependency management, and flink-shaded-hadoop-2-uber for creating a fat jar.
In this kind of setup the dependency management in {{flink-shaded-hadoop-2}} is
ignored by the {{-uber}} module; dependency management entries only apply if
they are located in a parent module or within the module itself.
As a result flink-shaded-hadoop-2-uber is bundling the wrong versions of
several dependencies; among others we bundle commons-collections 3.2.1, instead
of 3.2.2, which has a security issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
