[jira] [Comment Edited] (FLINK-30274) Add commons-collections4 to replace commons-collections 3.x

Fri, 02 Dec 2022 01:19:05 -0800 


    [ 
https://issues.apache.org/jira/browse/FLINK-30274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642385#comment-17642385
 ] 

Ran Tao edited comment on FLINK-30274 at 12/2/22 9:18 AM:
----------------------------------------------------------

[~martijnvisser] please see 
https://issues.apache.org/jira/browse/COLLECTIONS-701 . however i'm not very 
sure currently flink will cause this error. But we can not limit the others and 
later usages. 
IMHO, at least we need to recommend the developers use new version.


was (Author: lemonjing):
[~martijnvisser] please see 
[https://issues.apache.org/jira/browse/COLLECTIONS-701|https://issues.apache.org/jira/browse/COLLECTIONS-701]
 . however i'm not vert sure currently flink will cause this error. But we can 
not limit the others and later usages. 
IMHO,  at least we need to recommend the developers use new version.

> Add commons-collections4 to replace commons-collections 3.x 
> ------------------------------------------------------------
>
>                 Key: FLINK-30274
>                 URL: https://issues.apache.org/jira/browse/FLINK-30274
>             Project: Flink
>          Issue Type: Technical Debt
>          Components: Build System
>    Affects Versions: 1.16.0
>            Reporter: Ran Tao
>            Assignee: Ran Tao
>            Priority: Major
>              Labels: pull-request-available
>         Attachments: image-2022-12-02-16-40-22-172.png
>
>
> First, Apache commons-collections 3.x is a Java 1.3 compatible version, and 
> it does not use Java 5 generics. Apache commons-collections4 4.4 is an 
> upgraded version of commons-collections and it built by Java 8.
> Second, Apache commons-collections 3.x is vulnerable. see  
> https://issues.apache.org/jira/browse/COLLECTIONS-701
> We can upgrade this dependency, but i found that currently 3.x was used by 
> flink-core many places. So at least we need offer commons-collections4 
> support to forbid the next and later error usages (developers or submodules 
> use this new version).
> The Apache Spark has same issue: [https://github.com/apache/spark/pull/35257]
> [^image-2022-12-02-16-40-22-172.png]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to