[ https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16903273#comment-16903273 ]
Andrew Purtell edited comment on HBASE-22728 at 8/8/19 7:49 PM: ---------------------------------------------------------------- So this is annoying. I think we have to shade the org.codehaus.jackson dependencies and bundle them into our binary release, but not export them as a transitive dependency from Maven. Maybe a dependency on hbase-thirdparty is the way forward, because that kind of dependency shading is already done there. The minor release of 1.5.0, still pending, is an occasion where we can make this kind of change in our dependencies I think. was (Author: apurtell): So this is annoying. I think we have to shade the org.codehause.jackson dependencies and bundle them into our binary release, but not export them as a transitive dependency from Maven. Maybe a dependency on hbase-thirdparty is the way forward, because that kind of dependency shading is already done there. The minor release of 1.5.0, still pending, is an occasion where we can make this kind of change in our dependencies I think. > Upgrade jackson dependencies in branch-1 > ---------------------------------------- > > Key: HBASE-22728 > URL: https://issues.apache.org/jira/browse/HBASE-22728 > Project: HBase > Issue Type: Sub-task > Affects Versions: 1.4.10, 1.3.5 > Reporter: Andrew Purtell > Assignee: Viraj Jasani > Priority: Major > Fix For: 1.5.0, 1.3.6, 1.4.11 > > Attachments: HBASE-22728-addendum.patch, > HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, > HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, > HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, > HBASE-22728.branch-1.12.patch > > > Avoid Jackson versions and dependencies with known CVEs -- This message was sent by Atlassian JIRA (v7.6.14#76016)