sijie commented on issue #1777: Issue 1767: security vulnerabilities in 3rd party dependencies URL: https://github.com/apache/bookkeeper/pull/1777#issuecomment-435211702 @mptap so `jackson-module-scala_2.11:jar` is a transitive dependency of ` com.twitter:finagle-core_2.11:jar`. if we want to bump the version to 2.12, we have to bump all scala related dependencies to 2.12. but that would be a separated change. so enforcing it to 2.11 is good enough for this PR. ``` [INFO] org.apache.bookkeeper.stats:twitter-finagle-provider:jar:4.9.0-SNAPSHOT [INFO] +- org.apache.bookkeeper.stats:bookkeeper-stats-api:jar:4.9.0-SNAPSHOT:compile [INFO] +- com.twitter:finagle-core_2.11:jar:6.44.0:compile [INFO] | +- org.scala-lang:scala-library:jar:2.11.8:compile [INFO] | +- com.twitter:finagle-toggle_2.11:jar:6.44.0:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile [INFO] | | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.9:compile [INFO] | | +- com.fasterxml.jackson.module:jackson-module-scala_2.11:jar:2.8.4:compile [INFO] | | | \- com.fasterxml.jackson.module:jackson-module-paranamer:jar:2.8.4:compile [INFO] | | | \- com.thoughtworks.paranamer:paranamer:jar:2.8:compile [INFO] | | \- com.google.guava:guava:jar:21.0:compile ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
