snuyanzin commented on code in PR #25602:
URL: https://github.com/apache/flink/pull/25602#discussion_r1864931775
##########
flink-table/flink-table-calcite-bridge/pom.xml:
##########
@@ -152,9 +152,21 @@ under the License.
<groupId>org.locationtech.proj4j</groupId>
<artifactId>proj4j</artifactId>
</exclusion>
+ <!-- Exclude json-path as we are manually
overriding it to a newer version -->
+ <exclusion>
+ <groupId>com.jayway.jsonpath</groupId>
+ <artifactId>json-path</artifactId>
+ </exclusion>
</exclusions>
</dependency>
+ <!-- Override the json-path version used by Calcite 1.32 to
deal with CVE-2023-1370 -->
Review Comment:
I don't think it is good practice to say that we override something in one
of the dependency and mentioning its version.
Problem 1: now it is not 1.32, and as a result it will only confuse people
since not clear why we talking about 1.32 here or whatever other version if it
doesn't match the actual dependency
Problem2: It says nothing what to do with it. In fact I would replace this
comment with something like
```
TODO: remove together with Calcite upgrade to 1.38.0, more details are at
FLINK-XXXX (put your jira issue here)
```
Then it would be much clear when and what we should do with this and where
to go to get more info
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
