I think I"m going to be reverting most of this change: https://github.com/apache/tinkerpop/commit/aa955d56485483cb5b1901fd82783d5cdf969c7c#diff-402e09222db9327564f28924e1b39d0c
We'll keep the update to our shaded version of Jackson, but I'm finding that the remaining changes caused problems with Spark. Robert Dale has already been of a mind that we not tackle CVEs this way anymore and I agree with him at this point. We shouldn't be managing the CVE problems of upstream dependencies. If we need a CVE to go away then we need to take the problem to the originating project rather than try to deal with it by way of exclusion. On Mon, Oct 7, 2019 at 8:36 AM Stephen Mallette <[email protected]> wrote: > I'm a bit late on the code freeze post, but here it is now - it > technically started at the end of the day on Friday. For once we don't have > a glut of pull requests to merge so that's nice. Please use this thread for > release related issues as we look to get another one of these releases out > the door. > > Also for committers and/or PMC members, your name is listed on the > TinkerPop home page in the Contributor List[1] with your "bio". If you are > active on the project, your "bio" reflects what you have been working on > and what you expect to be working on with respect to TinkerPop for recent > times (i.e. for the previous six months and the following six months). If > you are currently inactive on the project, your "bio" reflects the full > scope of all your contributions throughout your active periods. You can > refer to the contributor listing policy[2] for full details. > > Please take a moment to update your bio directly in Git[3] or, if you > would prefer, please reply to this post with your bio update and it will be > added for you. > > [1] http://tinkerpop.apache.org/#contributors > [2] > http://tinkerpop.apache.org/docs/current/dev/developer/#contributor-listing > [3] > https://github.com/apache/tinkerpop/blob/master/docs/site/home/index.html >
