Duo Zhang created HBASE-28188:
---------------------------------
Summary: Narrow the netty3 dependency scope
Key: HBASE-28188
URL: https://issues.apache.org/jira/browse/HBASE-28188
Project: HBase
Issue Type: Task
Components: dependencies, hadoop3, security
Reporter: Duo Zhang
Netty 3 has a bunch of CVEs and will never be fixed.
In HBase, we poll in netty 3 dependency through hadoop, and till hadop 3.3.6,
the dependency is still there.
The only place for hadoop 3.1.x where we depend on netty 3 is in MR's
ShuffleHandler.
https://issues.apache.org/jira/browse/HADOOP-15327
So I think at least wecould narrow the dependency scope for netty 3 to test
scope, as it is only used in tests we start a MiniMRCluster.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
