[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16906568#comment-16906568
]
Andrew Purtell commented on HBASE-22728:
----------------------------------------
Let's step back and consider the basic motivation:
We want to avoid putting vulnerable jackson dependencies on the classpath of
unsuspecting user applications via transitive dependencies.
An exception to this would be the shaded client, which of course must shade in
those dependencies, but for this we can document a warning.
So then we should try 'provided' or 'test' scope in client and then 'compile'
scope anywhere else as needed, including or especially assembly, would meet our
objective.
We can say we have tried to do more, but it hasn't worked out.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch,
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch,
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch,
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch,
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch,
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
