Hi! I think that it is time to update phoenix-thirdparty. There are only two changes:
- PHOENIX-6575 Replace patched commons-cli with original one when a release with CLI-254 is available which replaces the current patched commons-cli with the official 1.5.0 release, which has the same fixes. Unfortunately, the API that enables the fixes is a bit different, and requires minor code changes in the downstream projects. I'm not sure if we should bump the version to 2.0 because of that, or if 1.2.0 is enough. The other change (not yet committed) is - PHOENIX-6641 Bump Guava to 31.0.1 in phoenix-thirdparty The current Guava version has CVE-2020-8908 . Now the vulnerability is not really fixed in any later version, the problematic method is just @deprecated . Still, I guess it's better to keep up with the releases than to get stuck on an old one, which is likely to cause problems later. Uncharacteristically, this Guava update does not seem to break any of our code. As you can see, neither of the changes are critical, but I think both are nice to have. Please let me know your opinion, if you agree, or if you agree. Please also review PHOENIX-6641, if you have the time. regards Istvan
