An update, Nacos team gave a promise, they will remove the Fastjson
dependency to ease our concern.
I think we could wait for the progress until we begin to initial our 8.0.0
release. If they can't finish it on time, we do the deletion action.

Is everyone OK with this strategy?

Sheng Wu 吴晟
Twitter, wusheng1108


Sheng Wu <wu.sheng.841...@gmail.com> 于2020年5月21日周四 上午9:50写道:

> I have submitted the issue to Nacos team,
> https://github.com/alibaba/nacos/issues/2842
> To check, *Does Nacos provide an alternative JSON library, rather than
> FastJSON, as a new option*
>
> If the answer is negative, and our consensus is clear, preferring to
> remove the codes. Then it is time to make the decision.
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
>
>
> Sheng Wu <wu.sheng.841...@gmail.com> 于2020年5月21日周四 上午9:23写道:
>
>> I just recheck the dependency tree, and could confirm the fastjson is
>> imported by Nacos only. No other library depends on this.
>>
>> [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @
>> apache-skywalking-apm-es7 ---
>> [WARNING] Failure to transfer
>> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
>> from https://repository.apache.org/snapshots was cached in the local
>> repository, resolution will not be reattempted until the update interval of
>> apache.snapshots has elapsed or updates are forced. Original error: Could
>> not transfer metadata
>> org.apache.skywalking:skywalking-trace-receiver-plugin:8.0.0-SNAPSHOT/maven-metadata.xml
>> from/to apache.snapshots (https://repository.apache.org/snapshots):
>> Connect to repository.apache.org:443 [
>> repository.apache.org/207.244.88.140] failed: Operation timed out
>> Downloading from apache.snapshots:
>> https://repository.apache.org/snapshots/org/apache/skywalking/server-starter-es7/8.0.0-SNAPSHOT/server-starter-es7-8.0.0-SNAPSHOT.jar
>> [INFO] org.apache.skywalking:apache-skywalking-apm-es7:pom:8.0.0-SNAPSHOT
>> [INFO] +- org.apache.skywalking:apm-agent:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  \-
>> org.apache.skywalking:apm-agent-core:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |     +-
>> org.apache.skywalking:apm-network:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |     |  +- io.grpc:grpc-netty:jar:1.26.0:compile
>> [INFO] |     |  |  +- io.netty:netty-codec-http2:jar:4.1.42.Final:compile
>> (version selected from constraint [4.1.42.Final,4.1.42.Final])
>> [INFO] |     |  |  \-
>> io.netty:netty-handler-proxy:jar:4.1.42.Final:compile
>> [INFO] |     |  |     \-
>> io.netty:netty-codec-socks:jar:4.1.42.Final:compile
>> [INFO] |     |  +- io.grpc:grpc-protobuf:jar:1.26.0:compile
>> [INFO] |     |  |  +- io.grpc:grpc-api:jar:1.26.0:compile
>> [INFO] |     |  |  |  \- io.grpc:grpc-context:jar:1.26.0:compile
>> [INFO] |     |  |  +- com.google.protobuf:protobuf-java:jar:3.11.0:compile
>> [INFO] |     |  |  +-
>> com.google.api.grpc:proto-google-common-protos:jar:1.12.0:compile
>> [INFO] |     |  |  \- io.grpc:grpc-protobuf-lite:jar:1.26.0:compile
>> [INFO] |     |  +- io.grpc:grpc-stub:jar:1.26.0:compile
>> [INFO] |     |  \-
>> io.netty:netty-tcnative-boringssl-static:jar:2.0.26.Final:compile
>> [INFO] |     +- org.apache.skywalking:apm-util:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |     +- net.bytebuddy:byte-buddy:jar:1.10.7:compile
>> [INFO] |     \-
>> org.apache.skywalking:apm-datacarrier:jar:8.0.0-SNAPSHOT:compile
>> [INFO] +-
>> org.apache.skywalking:server-starter-es7:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  +-
>> org.apache.skywalking:server-bootstrap:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:server-core:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +- org.yaml:snakeyaml:jar:1.18:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:library-module:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:telemetry-api:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:configuration-api:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:library-util:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  |  +- joda-time:joda-time:jar:2.10.5:compile
>> [INFO] |  |  |  |  \-
>> com.google.protobuf:protobuf-java-util:jar:3.11.4:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:library-client:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  |  +- com.zaxxer:HikariCP:jar:3.1.0:compile
>> [INFO] |  |  |  |  +- commons-dbcp:commons-dbcp:jar:1.4:compile
>> [INFO] |  |  |  |  |  \- commons-pool:commons-pool:jar:1.5.4:compile
>> [INFO] |  |  |  |  +-
>> org.elasticsearch.client:elasticsearch-rest-high-level-client:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  +- org.elasticsearch:elasticsearch:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.elasticsearch:elasticsearch-core:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.elasticsearch:elasticsearch-secure-sm:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.elasticsearch:elasticsearch-x-content:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  |  +-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.10:compile
>> [INFO] |  |  |  |  |  |  |  +-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.10:compile
>> [INFO] |  |  |  |  |  |  |  \-
>> com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.10:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-core:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-analyzers-common:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-backward-codecs:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-grouping:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-highlighter:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-join:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-memory:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-misc:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-queries:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-queryparser:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-sandbox:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-spatial:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-spatial-extras:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-spatial3d:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.lucene:lucene-suggest:jar:7.3.1:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.elasticsearch:elasticsearch-cli:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  +- com.carrotsearch:hppc:jar:0.7.1:compile
>> [INFO] |  |  |  |  |  |  +- com.tdunning:t-digest:jar:3.2:compile
>> [INFO] |  |  |  |  |  |  \- org.elasticsearch:jna:jar:4.5.1:compile
>> [INFO] |  |  |  |  |  +-
>> org.elasticsearch.client:elasticsearch-rest-client:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  |  +-
>> org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
>> [INFO] |  |  |  |  |  |  \-
>> org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
>> [INFO] |  |  |  |  |  +-
>> org.elasticsearch.plugin:parent-join-client:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  +-
>> org.elasticsearch.plugin:aggs-matrix-stats-client:jar:6.3.2:compile
>> [INFO] |  |  |  |  |  \-
>> org.elasticsearch.plugin:rank-eval-client:jar:6.3.2:compile
>> [INFO] |  |  |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:library-server:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  |  +-
>> org.eclipse.jetty:jetty-server:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  |  |  +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
>> [INFO] |  |  |  |  |  +-
>> org.eclipse.jetty:jetty-http:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  |  |  |  \-
>> org.eclipse.jetty:jetty-util:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  |  |  \-
>> org.eclipse.jetty:jetty-io:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  |  \-
>> org.eclipse.jetty:jetty-servlet:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  |     \-
>> org.eclipse.jetty:jetty-security:jar:9.4.28.v20200408:compile
>> [INFO] |  |  |  \- org.javassist:javassist:jar:3.25.0-GA:compile
>> [INFO] |  |  +- org.apache.skywalking:oal-rt:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +-
>> org.apache.skywalking:oal-grammar:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +- org.antlr:antlr4-runtime:jar:4.7.1:compile
>> [INFO] |  |  |  +- org.freemarker:freemarker:jar:2.3.28:compile
>> [INFO] |  |  |  \- commons-io:commons-io:jar:2.6:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-standalone-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-zookeeper-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \-
>> org.apache.curator:curator-x-discovery:jar:4.0.1:compile
>> [INFO] |  |  |     +- org.apache.curator:curator-recipes:jar:4.0.1:compile
>> [INFO] |  |  |     |  \-
>> org.apache.curator:curator-framework:jar:4.0.1:compile
>> [INFO] |  |  |     |     \-
>> org.apache.curator:curator-client:jar:4.0.1:compile
>> [INFO] |  |  |     |        \-
>> org.apache.zookeeper:zookeeper:jar:3.5.3-beta:compile
>> [INFO] |  |  |     |           +- commons-cli:commons-cli:jar:1.2:compile
>> [INFO] |  |  |     |           +- log4j:log4j:jar:1.2.17:compile
>> [INFO] |  |  |     |           \- io.netty:netty:jar:3.10.5.Final:compile
>> [INFO] |  |  |     \-
>> org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
>> [INFO] |  |  |        \-
>> org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-kubernetes-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- io.kubernetes:client-java:jar:4.0.0:compile
>> [INFO] |  |  |     +- io.kubernetes:client-java-api:jar:4.0.0:compile
>> [INFO] |  |  |     |  +- io.sundr:builder-annotations:jar:0.9.2:compile
>> [INFO] |  |  |     |  |  +- io.sundr:sundr-core:jar:0.9.2:compile
>> [INFO] |  |  |     |  |  +- io.sundr:sundr-codegen:jar:0.9.2:compile
>> [INFO] |  |  |     |  |  \-
>> io.sundr:resourcecify-annotations:jar:0.9.2:compile
>> [INFO] |  |  |     |  +- io.swagger:swagger-annotations:jar:1.5.12:compile
>> [INFO] |  |  |     |  +- com.squareup.okhttp:okhttp:jar:2.7.5:compile
>> [INFO] |  |  |     |  +-
>> com.squareup.okhttp:logging-interceptor:jar:2.7.5:compile
>> [INFO] |  |  |     |  \- org.joda:joda-convert:jar:1.2:compile
>> [INFO] |  |  |     +- io.kubernetes:client-java-proto:jar:4.0.0:compile
>> [INFO] |  |  |     +- org.apache.commons:commons-compress:jar:1.18:compile
>> [INFO] |  |  |     +- org.apache.commons:commons-lang3:jar:3.7:compile
>> [INFO] |  |  |     +- com.squareup.okhttp:okhttp-ws:jar:2.7.5:compile
>> [INFO] |  |  |     +- org.bouncycastle:bcprov-ext-jdk15on:jar:1.59:compile
>> [INFO] |  |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.59:compile
>> [INFO] |  |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-consul-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- com.orbitz.consul:consul-client:jar:1.2.6:compile
>> [INFO] |  |  |     +- com.squareup.retrofit2:retrofit:jar:2.3.0:compile
>> [INFO] |  |  |     +-
>> com.squareup.retrofit2:converter-jackson:jar:2.3.0:compile
>> [INFO] |  |  |     +- com.squareup.okhttp3:okhttp:jar:3.9.0:compile
>> [INFO] |  |  |     |  \- com.squareup.okio:okio:jar:1.13.0:compile
>> [INFO] |  |  |     +-
>> com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.5:compile
>> [INFO] |  |  |     \-
>> com.fasterxml.jackson.datatype:jackson-datatype-guava:jar:2.9.5:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-nacos-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- com.alibaba.nacos:nacos-client:jar:1.2.0:compile
>> [INFO] |  |  |     +- com.alibaba.nacos:nacos-common:jar:1.2.0:compile
>> [INFO] |  |  |     \- com.alibaba.nacos:nacos-api:jar:1.2.0:compile
>> [INFO] |  |  |        \- com.alibaba:fastjson:jar:1.2.58:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:cluster-etcd-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +- io.netty:netty-codec-dns:jar:4.1.42.Final:compile
>> [INFO] |  |  |  |  +- io.netty:netty-common:jar:4.1.42.Final:compile
>> [INFO] |  |  |  |  +- io.netty:netty-buffer:jar:4.1.42.Final:compile
>> [INFO] |  |  |  |  +- io.netty:netty-transport:jar:4.1.42.Final:compile
>> [INFO] |  |  |  |  \- io.netty:netty-codec:jar:4.1.42.Final:compile
>> [INFO] |  |  |  +- io.netty:netty-codec-http:jar:4.1.42.Final:compile
>> [INFO] |  |  |  +- io.netty:netty-handler:jar:4.1.42.Final:compile
>> [INFO] |  |  |  +- io.netty:netty-resolver-dns:jar:4.1.42.Final:compile
>> [INFO] |  |  |  |  \- io.netty:netty-resolver:jar:4.1.42.Final:compile
>> [INFO] |  |  |  +- org.mousio:etcd4j:jar:2.17.0:compile
>> [INFO] |  |  |  |  \-
>> com.github.wnameless:json-flattener:jar:0.6.0:compile
>> [INFO] |  |  |  |     +-
>> com.eclipsesource.minimal-json:minimal-json:jar:0.9.5:compile
>> [INFO] |  |  |  |     \- org.apache.commons:commons-text:jar:1.4:compile
>> [INFO] |  |  |  \-
>> com.fasterxml.jackson.module:jackson-module-afterburner:jar:2.9.5:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-mesh-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \-
>> org.apache.skywalking:skywalking-sharing-server-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-istio-telemetry-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \-
>> org.apache.skywalking:receiver-proto:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-management-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-jvm-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-trace-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:envoy-metrics-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-clr-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-so11y-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:skywalking-profile-receiver-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:prometheus-fetcher-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:storage-jdbc-hikaricp-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- com.h2database:h2:jar:1.4.196:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:storage-influxdb-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- org.influxdb:influxdb-java:jar:2.15:compile
>> [INFO] |  |  |     +-
>> com.squareup.retrofit2:converter-moshi:jar:2.5.0:compile
>> [INFO] |  |  |     |  \- com.squareup.moshi:moshi:jar:1.5.0:compile
>> [INFO] |  |  |     +- org.msgpack:msgpack-core:jar:0.8.16:compile
>> [INFO] |  |  |     \-
>> com.squareup.okhttp3:logging-interceptor:jar:3.13.1:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:query-graphql-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +- com.graphql-java:graphql-java:jar:8.0:compile
>> [INFO] |  |  |  |  +- com.graphql-java:java-dataloader:jar:2.0.2:compile
>> [INFO] |  |  |  |  \-
>> org.reactivestreams:reactive-streams:jar:1.0.2:compile
>> [INFO] |  |  |  \- com.graphql-java:graphql-java-tools:jar:5.2.3:compile
>> [INFO] |  |  |     +-
>> org.jetbrains.kotlin:kotlin-stdlib:jar:1.1.60:compile
>> [INFO] |  |  |     |  \- org.jetbrains:annotations:jar:13.0:compile
>> [INFO] |  |  |     +-
>> com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.8.8:compile
>> [INFO] |  |  |     |  \-
>> org.jetbrains.kotlin:kotlin-reflect:jar:1.1.1:compile
>> [INFO] |  |  |     \- com.esotericsoftware:reflectasm:jar:1.11.7:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:server-alarm-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:telemetry-prometheus:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  +- io.prometheus:simpleclient:jar:0.6.0:compile
>> [INFO] |  |  |  +- io.prometheus:simpleclient_hotspot:jar:0.6.0:compile
>> [INFO] |  |  |  \- io.prometheus:simpleclient_httpserver:jar:0.6.0:compile
>> [INFO] |  |  |     \- io.prometheus:simpleclient_common:jar:0.6.0:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:telemetry-so11y:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +- org.apache.skywalking:exporter:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:grpc-configuration-sync:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \- io.grpc:grpc-core:jar:1.26.0:compile
>> [INFO] |  |  |     +- io.perfmark:perfmark-api:jar:0.19.0:compile
>> [INFO] |  |  |     +- io.opencensus:opencensus-api:jar:0.24.0:compile
>> [INFO] |  |  |     \-
>> io.opencensus:opencensus-contrib-grpc-metrics:jar:0.24.0:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:configuration-apollo:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  |  \-
>> com.ctrip.framework.apollo:apollo-client:jar:1.4.0:compile
>> [INFO] |  |  |     +-
>> com.ctrip.framework.apollo:apollo-core:jar:1.4.0:compile
>> [INFO] |  |  |     \- com.google.inject:guice:jar:4.1.0:compile
>> [INFO] |  |  |        \- aopalliance:aopalliance:jar:1.0:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:configuration-nacos:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:configuration-zookeeper:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  +-
>> org.apache.skywalking:configuration-etcd:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  \-
>> org.apache.skywalking:configuration-consul:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  +-
>> org.apache.skywalking:storage-elasticsearch7-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  \-
>> org.apache.skywalking:storage-elasticsearch-plugin:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  +-
>> org.apache.skywalking:tool-profile-snapshot-exporter-es7:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |  \-
>> org.apache.skywalking:tool-profile-snapshot-bootstrap:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  |     \-
>> org.apache.skywalking:tool-profile-snapshot-server-mock:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
>> [INFO] |  +- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
>> [INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.9.0:compile
>> [INFO] |  |  \- org.apache.logging.log4j:log4j-api:jar:2.9.0:compile
>> [INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.9.0:compile
>> [INFO] |  \- com.google.guava:guava:jar:28.1-jre:compile
>> [INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:compile
>> [INFO] |     +-
>> com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
>> [INFO] |     +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
>> [INFO] |     +- org.checkerframework:checker-qual:jar:2.8.1:compile
>> [INFO] |     +-
>> com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
>> [INFO] |     \-
>> org.codehaus.mojo:animal-sniffer-annotations:jar:1.18:compile
>> [INFO] +- org.apache.skywalking:apm-webapp:jar:8.0.0-SNAPSHOT:compile
>> [INFO] |  +-
>> org.springframework.boot:spring-boot-starter-web:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  +-
>> org.springframework.boot:spring-boot-starter:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.boot:spring-boot:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.boot:spring-boot-autoconfigure:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.boot:spring-boot-starter-logging:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
>> [INFO] |  |  |  \-
>> org.springframework:spring-core:jar:4.3.15.RELEASE:compile
>> [INFO] |  |  +-
>> org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.29:compile
>> [INFO] |  |  |  |  \-
>> org.apache.tomcat:tomcat-annotations-api:jar:8.5.29:compile
>> [INFO] |  |  |  +-
>> org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.29:compile
>> [INFO] |  |  |  \-
>> org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.29:compile
>> [INFO] |  |  +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
>> [INFO] |  |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
>> [INFO] |  |  |  +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
>> [INFO] |  |  |  \- com.fasterxml:classmate:jar:1.3.1:compile
>> [INFO] |  |  +- org.springframework:spring-web:jar:4.3.15.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework:spring-aop:jar:4.3.15.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework:spring-beans:jar:4.3.15.RELEASE:compile
>> [INFO] |  |  |  \-
>> org.springframework:spring-context:jar:4.3.15.RELEASE:compile
>> [INFO] |  |  \-
>> org.springframework:spring-webmvc:jar:4.3.15.RELEASE:compile
>> [INFO] |  |     \-
>> org.springframework:spring-expression:jar:4.3.15.RELEASE:compile
>> [INFO] |  +-
>> org.springframework.boot:spring-boot-starter-actuator:jar:1.5.11.RELEASE:compile
>> [INFO] |  |  \-
>> org.springframework.boot:spring-boot-actuator:jar:1.5.11.RELEASE:compile
>> [INFO] |  +-
>> com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile
>> [INFO] |  |  +-
>> com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
>> [INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
>> [INFO] |  +-
>> org.springframework.boot:spring-boot-configuration-processor:jar:1.5.11.RELEASE:compile
>> [INFO] |  +- com.google.code.gson:gson:jar:2.8.2:compile
>> [INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
>> [INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
>> [INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
>> [INFO] |  |  \- commons-codec:commons-codec:jar:1.9:compile
>> [INFO] |  +-
>> org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar:1.4.2.RELEASE:compile
>> [INFO] |  |  +-
>> org.springframework.cloud:spring-cloud-starter:jar:1.3.1.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.cloud:spring-cloud-context:jar:1.3.1.RELEASE:compile
>> [INFO] |  |  |  |  \-
>> org.springframework.security:spring-security-crypto:jar:4.2.3.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.cloud:spring-cloud-commons:jar:1.3.1.RELEASE:compile
>> [INFO] |  |  |  \-
>> org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
>> [INFO] |  |  +-
>> org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar:1.4.2.RELEASE:compile
>> [INFO] |  |  |  +-
>> org.springframework.cloud:spring-cloud-netflix-core:jar:1.4.2.RELEASE:compile
>> [INFO] |  |  |  +- com.netflix.hystrix:hystrix-core:jar:1.5.12:compile
>> [INFO] |  |  |  |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
>> [INFO] |  |  |  +-
>> com.netflix.hystrix:hystrix-metrics-event-stream:jar:1.5.12:compile
>> [INFO] |  |  |  |  \-
>> com.netflix.hystrix:hystrix-serialization:jar:1.5.12:runtime
>> [INFO] |  |  |  \- com.netflix.hystrix:hystrix-javanica:jar:1.5.12:compile
>> [INFO] |  |  |     +- org.ow2.asm:asm:jar:5.0.4:runtime
>> [INFO] |  |  |     \- org.aspectj:aspectjweaver:jar:1.8.6:compile
>> [INFO] |  |  +-
>> org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.2.RELEASE:compile
>> [INFO] |  |  |  +- com.netflix.ribbon:ribbon:jar:2.2.4:compile
>> [INFO] |  |  |  |  +-
>> com.netflix.ribbon:ribbon-transport:jar:2.2.4:runtime
>> [INFO] |  |  |  |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
>> [INFO] |  |  |  |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
>> [INFO] |  |  |  |  +- javax.inject:javax.inject:jar:1:compile
>> [INFO] |  |  |  |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
>> [INFO] |  |  |  |     \-
>> io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
>> [INFO] |  |  |  +- com.netflix.ribbon:ribbon-core:jar:2.2.4:compile
>> [INFO] |  |  |  |  \- commons-lang:commons-lang:jar:2.6:compile
>> [INFO] |  |  |  +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.4:compile
>> [INFO] |  |  |  |  +-
>> commons-collections:commons-collections:jar:3.2.2:runtime
>> [INFO] |  |  |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
>> [INFO] |  |  |  |  |  \- com.sun.jersey:jersey-core:jar:1.19.1:runtime
>> [INFO] |  |  |  |  |     \- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
>> [INFO] |  |  |  |  \-
>> com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
>> [INFO] |  |  |  +-
>> com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.4:compile
>> [INFO] |  |  |  |  \-
>> com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
>> [INFO] |  |  |  \- io.reactivex:rxjava:jar:1.2.0:compile
>> [INFO] |  |  +-
>> org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.2.RELEASE:compile
>> [INFO] |  |  |  +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
>> [INFO] |  |  |  \-
>> commons-configuration:commons-configuration:jar:1.8:compile
>> [INFO] |  |  \- com.netflix.zuul:zuul-core:jar:1.3.0:compile
>> [INFO] |  |     +- com.netflix.servo:servo-core:jar:0.7.2:runtime
>> [INFO] |  |     |  \-
>> com.google.code.findbugs:annotations:jar:2.0.0:runtime
>> [INFO] |  |     \-
>> com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
>> [INFO] |  \- ch.qos.logback:logback-classic:jar:1.2.3:compile
>> [INFO] |     \- ch.qos.logback:logback-core:jar:1.2.3:compile
>> [INFO] +- junit:junit:jar:4.12:test
>> [INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
>> [INFO] +- org.mockito:mockito-all:jar:1.10.19:test
>> [INFO] +- org.powermock:powermock-module-junit4:jar:1.6.4:test
>> [INFO] |  \- org.powermock:powermock-module-junit4-common:jar:1.6.4:test
>> [INFO] |     +- org.powermock:powermock-core:jar:1.6.4:test
>> [INFO] |     \- org.powermock:powermock-reflect:jar:1.6.4:test
>> [INFO] +- org.powermock:powermock-api-mockito:jar:1.6.4:test
>> [INFO] |  +- org.mockito:mockito-core:jar:1.10.19:test
>> [INFO] |  |  \- org.objenesis:objenesis:jar:2.1:test
>> [INFO] |  \- org.powermock:powermock-api-support:jar:1.6.4:test
>> [INFO] +- org.openjdk.jmh:jmh-core:jar:1.21:test
>> [INFO] |  +- net.sf.jopt-simple:jopt-simple:jar:4.6:compile
>> [INFO] |  \- org.apache.commons:commons-math3:jar:3.2:test
>> [INFO] +- org.projectlombok:lombok:jar:1.18.10:provided
>> [INFO] \- javax.annotation:javax.annotation-api:jar:1.3.2:provided
>> [INFO]
>> ------------------------------------------------------------------------
>>
>> Sheng Wu 吴晟
>> Twitter, wusheng1108
>>
>>
>> Sheng Wu <wu.sheng.841...@gmail.com> 于2020年5月21日周四 上午8:22写道:
>>
>>>
>>>
>>> Hongtao Gao <hanahm...@gmail.com> 于2020年5月20日周三 下午11:13写道:
>>>
>>>> >
>>>> > So   i suggest just remove the Nacos from the release package,
>>>> keeping the
>>>> > source code in our project.
>>>>
>>>>
>>>> Coordination and configuration APIs are stable now, and I don't see any
>>>> potential improvements about them.
>>>> Anyone who needs it can revert to the commit contains nacos easily.
>>>> Keeping unreleased codes in the main repo is dangerous for us, so I
>>>> prefer
>>>> to remove it straightly.
>>>>
>>>
>>> Agree, git is the time machine. We should not worry about rolling back
>>> in some days.
>>>
>>> Zhenxu
>>> Moving the code to skyapm, is fine, we just need to keep the Apache
>>> license header there, and indicate why these codes are copied there.
>>> If we really think that is meaningful. People are going to ask questions
>>> there, it will be some workload there.
>>> Also, notice, once we don't change the codes, how to release them.
>>>
>>> Sheng Wu 吴晟
>>> Twitter, wusheng1108
>>>
>>>
>>>>
>>>> peng-yongsheng <pen...@apache.org> 于2020年5月20日周三 下午10:27写道:
>>>>
>>>> > FastJSON is the source of this security issues and the Nacos is a
>>>> famous
>>>> > project.  But security issues is very important problem, and they
>>>> can’t
>>>> > really resolve it .
>>>> >
>>>> > So   i suggest just remove the Nacos from the release package,
>>>> keeping the
>>>> > source code in our project.
>>>> >
>>>> >
>>>> > Sheng Wu <wush...@apache.org>于2020年5月20日 周三20:51写道:
>>>> >
>>>> > > Hi dev team
>>>> > >
>>>> > > Especially committer and PMC member, recently, we just upgrade the
>>>> > fastjson
>>>> > > through https://github.com/apache/skywalking/pull/4753. But today,
>>>> we
>>>> > > received the another report about the security issue again,
>>>> > > https://github.com/apache/skywalking/pull/4804.
>>>> > > The 4804 PR is not correct, but that is not the point.
>>>> > >
>>>> > > The concern I want to mention is that FastJson, imported by Nacos,
>>>> keeps
>>>> > > reporting security issues. This breaks our stable/security status
>>>> high
>>>> > > frequently.
>>>> > >
>>>> > > I want to ask, *do we need to consider removing the Nacos +
>>>> > > FastJSON dependency? Due to this library is not in high quality
>>>> from a
>>>> > > security perspective.*
>>>> > > These two are not required, they are just an implementation of
>>>> > > configuration server and cluster management server.
>>>> > >
>>>> > > I don't request to act now, but I would like to hear, what do you
>>>> think?
>>>> > >
>>>> > > Sheng Wu 吴晟
>>>> > > Twitter, wusheng1108
>>>> > >
>>>> >
>>>>
>>>>
>>>> --
>>>> Hongtao Gao
>>>>
>>>> Apache SkyWalking && Apache ShardingSphere
>>>> Twitter, @hanahmily
>>>>
>>>

Reply via email to