[GitHub] [flink] zentol commented on a change in pull request #11006: [FLINK-15868][kinesis] Resolve version conflict between jackson-core and jackson-dataformat-cbor

Wed, 05 Feb 2020 05:03:15 -0800 

zentol commented on a change in pull request #11006: [FLINK-15868][kinesis] 
Resolve version conflict between jackson-core and jackson-dataformat-cbor
URL: https://github.com/apache/flink/pull/11006#discussion_r375241377
 
 

 ##########
 File path: pom.xml
 ##########
 @@ -390,19 +390,26 @@ under the License.
                        <dependency>
                                <groupId>com.fasterxml.jackson.core</groupId>
                                <artifactId>jackson-annotations</artifactId>
-                               <version>2.10.1</version>
+                               <version>${jackson.version}</version>
                        </dependency>
 
                        <dependency>
                                <groupId>com.fasterxml.jackson.core</groupId>
                                <artifactId>jackson-databind</artifactId>
-                               <version>2.10.1</version>
+                               <version>${jackson.version}</version>
                        </dependency>
 
                        <dependency>
                                <groupId>com.fasterxml.jackson.core</groupId>
                                <artifactId>jackson-core</artifactId>
-                               <version>2.10.1</version>
+                               <version>${jackson.version}</version>
+                       </dependency>
+
+                       <!-- https://issues.apache.org/jira/browse/FLINK-15868 
-->
+                       <dependency>
+                               
<groupId>com.fasterxml.jackson.dataformat</groupId>
+                               <artifactId>jackson-dataformat-cbor</artifactId>
 
 Review comment:
   > Looks like there is consensus to keep it centralized
   
   Not quite; this came up during the offline discussion and we continued with 
the existing approach for the time-being for simplicity. Long-term we're likely 
to throw a jackson bom into every module that needs it, and ban older versions.
   This way it is a lot easier to tell which modules are affected by the 
dependency management.
   If a new jackson dependency is added 1 of three cases happen:
   a) dependency convergence fails (happens if it is not shaded)
   b) enforcer check fails (old insecure versions used that we don't want) 
   c) a safe version is used and shaded (hence no conflicts), in which case 
there is no reason to mandate another version. This also allows us to use the 
version that the transitive dependency was built against, which is one less 
uncertainty on our side.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to