zentol commented on a change in pull request #16605:
URL: https://github.com/apache/flink/pull/16605#discussion_r678213820
##########
File path: pom.xml
##########
@@ -1619,6 +1621,7 @@ under the License.
so there's no benefit in us investing time into bumping these. -->
<include>org.yaml:snakeyaml:(,1.26]:*:test</include>
</includes>
+
<message>Older snakeyaml versions are not allow due to security
vulnerabilities.</message>
Review comment:
```suggestion
<message>Older snakeyaml versions are not allowed due to security
vulnerabilities.</message>
```
##########
File path: pom.xml
##########
@@ -1634,6 +1637,7 @@ under the License.
<excludes>
<exclude>com.fasterxml.jackson*:*:(,2.12.0]</exclude>
</excludes>
+
<message>Older jackson versions are not allow due to security
vulnerabilities.</message>
Review comment:
```suggestion
<message>Older jackson versions are not allowed due to security
vulnerabilities.</message>
```
##########
File path: pom.xml
##########
@@ -1619,6 +1621,7 @@ under the License.
so there's no benefit in us investing time into bumping these. -->
<include>org.yaml:snakeyaml:(,1.26]:*:test</include>
</includes>
+
<message>Older snakeyaml versions are not allow due to security
vulnerabilities.</message>
Review comment:
It would be neat but I would like to avoid duplicating the version
information, which we then of course would have to keep in sync.
we could of course define some `security.snakeyaml.minimum.version` property
which we use, but it seems overkill?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
