Apache9 commented on code in PR #6295:
URL: https://github.com/apache/hbase/pull/6295#discussion_r1777956523
##########
pom.xml:
##########
@@ -931,7 +931,7 @@
databind] must be kept in sync with the version of
jackson-jaxrs-json-provider shipped in
hbase-thirdparty.
-->
- <hbase-thirdparty.version>4.1.8</hbase-thirdparty.version>
+ <hbase-thirdparty.version>4.1.9</hbase-thirdparty.version>
Review Comment:
Let me explain more clear.
For error prone, we'd better also bump the error prone to the same version
with thirparty, but it is not trivial sometimes, and since hbase-thirdparty
only depends on the annotation jar(even not shaded), so it is not likely to
introduce any conflicts. So I think it is better to have a separated issue for
bumping it, after upgrading the hbase-thirdparty.
For netty, since hbase does not depend on netty4 directly, we do not need to
align the netty version with the one in hbase-thirdparty.
We maintain it in our pom is because the conflicts between zookeeper and
hadoop. So if there are no CVEs for netty, we do not need to bump it in hbase.
And after hadoop 3.4.0, since hadoop also shade netty(IIRC), maybe we even do
not need to do this any more. If there are new CVEs for netty, maybe we just
need to bump the zookeeper dependency?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
