[GitHub] [beam] iemejia commented on a change in pull request #10463: [BEAM-9030] Bump grpc to 1.26.0

Fri, 09 Oct 2020 07:20:36 -0700 


iemejia commented on a change in pull request #10463:
URL: https://github.com/apache/beam/pull/10463#discussion_r502433421



##########
File path: buildSrc/src/main/groovy/org/apache/beam/gradle/GrpcVendoring.groovy
##########
@@ -28,23 +28,44 @@ class GrpcVendoring {
   static List<String> dependencies() {
     return [
       'com.google.guava:guava:26.0-jre',
-      'com.google.protobuf:protobuf-java:3.7.1',
-      'com.google.protobuf:protobuf-java-util:3.7.1',
-      'com.google.code.gson:gson:2.7',
-      'io.grpc:grpc-auth:1.21.0',
-      'io.grpc:grpc-core:1.21.0',
-      'io.grpc:grpc-context:1.21.0',
-      'io.grpc:grpc-netty:1.21.0',
-      'io.grpc:grpc-protobuf:1.21.0',
-      'io.grpc:grpc-stub:1.21.0',
-      'io.netty:netty-transport-native-epoll:4.1.34.Final',
+      'com.google.protobuf:protobuf-java:3.11.0',
+      'com.google.protobuf:protobuf-java-util:3.11.0',
+      'com.google.code.gson:gson:2.8.6',
+      'io.grpc:grpc-auth:1.26.0',
+      'io.grpc:grpc-core:1.26.0',
+      'io.grpc:grpc-context:1.26.0',
+      'io.grpc:grpc-netty:1.26.0',
+      'io.grpc:grpc-protobuf:1.26.0',
+      'io.grpc:grpc-stub:1.26.0',
+      'io.netty:netty-transport-native-epoll:4.1.42.Final',
       // tcnative version from 
https://github.com/grpc/grpc-java/blob/master/SECURITY.md#netty
-      'io.netty:netty-tcnative-boringssl-static:2.0.22.Final',
-      'com.google.auth:google-auth-library-credentials:0.13.0',
-      'io.grpc:grpc-testing:1.21.0',
+      'io.netty:netty-tcnative-boringssl-static:2.0.26.Final',
+      'com.google.auth:google-auth-library-credentials:0.18.0',
+      'io.grpc:grpc-testing:1.26.0',
       'com.google.api.grpc:proto-google-common-protos:1.12.0',
-      'io.opencensus:opencensus-api:0.21.0',
-      'io.opencensus:opencensus-contrib-grpc-metrics:0.21.0',
+      'io.opencensus:opencensus-api:0.24.0',
+      'io.opencensus:opencensus-contrib-grpc-metrics:0.24.0',
+      'io.perfmark:perfmark-api:0.19.0',
+      'avalon-framework:avalon-framework:4.1.5',
+      'com.github.jponge:lzma-java:1.3',
+      'com.google.protobuf.nano:protobuf-javanano:3.0.0-alpha-5',
+      'com.jcraft:jzlib:1.1.3',
+      'com.ning:compress-lzf:1.0.3',
+      'commons-logging:commons-logging:1.2',
+      'javax.jms:jms-api:1.1-rev-1',
+      'javax.mail:mail:1.4.3',
+      'javax.servlet:servlet-api:2.5',
+      'log4j:log4j:1.2.17',

Review comment:
       Question from the future how we chose the versions that are here it is 
just the latest available at the time or they come from some internal 
dependency?
   
   It seems log4j-api (2.6.2) is producing some alerts on security scanners:
   https://nvd.nist.gov/vuln/detail/CVE-2017-5645
   
   Can I open a PR to upgrade this? Is there anyone working on upgrades to 
grpc? I noticed also that there are some other unreleased changes in the 1.26.0 
version so I suppose we could do a release of it.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to