RyanSkraba commented on code in PR #341:
URL: https://github.com/apache/flink-statefun/pull/341#discussion_r1403118669
##########
statefun-kafka-io/pom.xml:
##########
@@ -43,9 +43,7 @@ under the License.
<version>${kafka.version}</version>
<exclusions>
<!-- This collides with snappy-java brought from
-
org.apache.flink:flink-streaming-java_${scala.binary.version}
- org.xerial.snappy:snappy-java:1.1.4
- -->
+ org.apache.flink:flink-streaming-java -->
Review Comment:
Hello! If I understand correctly, the version of snappy brought in from
flink-streaming-java *must* be compatible with the kafka client, or there's
little hope of it working -- in my experience, this has always been the case
with snappy patch releases, so 1.1.8.x should be OK with 1.1.10.x.
Users on Flink 1.16.2 will certainly have the vulnerability in
flink-statefun (but also in all of the flink core APIs). We're currently
[voting on a 1.16.3
release](https://lists.apache.org/thread/dxfmt3v5n0xv5r9tjl30ob5d7y5t7pw3) with
the bump.
I'm open to a comment suggestion, but I'm not sure what would be useful or
remain timely! Wrangling dependencies is not an easy problem, so when I see an
exclusion like this, I just assume the original author wanted a single
authoritive source for the version.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
