[
https://issues.apache.org/jira/browse/HDFS-15964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319394#comment-17319394
]
Steve Loughran commented on HDFS-15964:
---------------------------------------
changes like this should be submitted as github PRs. As this changes hdfs too,
to ensure yetus does the hdfs build/test the PR needs to make some (any) change
in the HDFS module. Adding a newline to the hdfs pom should be enough -we won't
merge that.
Be aware: changing dependencies are some of the most traumatic changes we can
make. A single "change a line in a maven build" can break tests, cause
downstream incompatibilities, trigger regressions in deployments which don't
surface in unit tests etc etc.
There is never a *just* update a JAR. It's "update the JAR, see what breaks,
come up with a plan/timetable to fix". This one should be low risk. But things
related to: guava, jackson, log4j are project-spanning minefields. T
Further reading
http://steveloughran.blogspot.com/2016/05/fear-of-dependencies.html
> Please update the okhttp version to 4.9.1
> -----------------------------------------
>
> Key: HDFS-15964
> URL: https://issues.apache.org/jira/browse/HDFS-15964
> Project: Hadoop HDFS
> Issue Type: Bug
> Components: build, dfsclient, security
> Affects Versions: 3.3.0
> Reporter: helen huang
> Priority: Major
> Fix For: 3.3.0, 3.4.0
>
>
> Currently the okhttp used by the hdfs client is 2.7.5. Our fortify scan
> flagged two issues with this version. Please update it to the latest (It is
> okhttp3 4.9.1 at this point). Thanks!
> <dependency>
> <groupId>com.squareup.okhttp3</groupId>
> <artifactId>okhttp</artifactId>
> <version>4.9.1</version>
> </dependency>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
