+1, on bumping to 2.0 just to keep the version consistent in case someone wants to use it as a drop-in jar.
PHOENIX-6641 also looks good to me, just gave +1 Regards, Ankit Singhal On Thu, 3 Feb 2022 at 04:35, Istvan Toth <st...@apache.org> wrote: > Hi! > > I think that it is time to update phoenix-thirdparty. > There are only two changes: > > - PHOENIX-6575 Replace patched commons-cli with original one when a > release with CLI-254 is available > > which replaces the current patched commons-cli with the official 1.5.0 > release, which has the same fixes. > Unfortunately, the API that enables the fixes is a bit different, and > requires minor code changes in the downstream projects. > I'm not sure if we should bump the version to 2.0 because of that, or if > 1.2.0 is enough. > > The other change (not yet committed) is > > - PHOENIX-6641 Bump Guava to 31.0.1 in phoenix-thirdparty > > The current Guava version has CVE-2020-8908 . Now the vulnerability is not > really fixed in any later version, the problematic method is > just @deprecated . > Still, I guess it's better to keep up with the releases than to get stuck > on an old one, which is likely to cause problems later. > > Uncharacteristically, this Guava update does not seem to break any of our > code. > > As you can see, neither of the changes are critical, but I think both are > nice to have. > > Please let me know your opinion, if you agree, or if you agree. > Please also review PHOENIX-6641, if you have the time. > > regards > Istvan >
