[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16900284#comment-16900284
]
Viraj Jasani commented on HBASE-22728:
--------------------------------------
If the attached mvn tree output is fine, is it good to backport some of
[HBASE-16338|https://jira.apache.org/jira/browse/HBASE-16338] (Jackson 2) for
hbase-rest and hbase-server? Anyways by turning off transitive dependency of
org.codehaus.jackson, downstreamers might break. And apart from hbase-rest and
hbase-server, other modules have major jackson usages in unit tests.
Considering these all, should it be fine to may be completely replace Jackson 1
with 2 in branch-1?
If the ans is no due to downstreamers, they can break even with removal of
Jackson 1 from classpath now. May be I am missing something specific? Or
"version upgrade should be done in major release only" is a very strict rule to
follow even if version in use is ~ 7 yr old?
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728.branch-1.01.patch,
> HBASE-22728.branch-1.02.patch, HBASE-22728.branch-1.04.patch,
> HBASE-22728.branch-1.06.patch, dependency_codehaus.out
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
