[
https://issues.apache.org/jira/browse/NIFI-4297?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16126588#comment-16126588
]
ASF GitHub Bot commented on NIFI-4297:
--------------------------------------
Github user alopresto commented on the issue:
https://github.com/apache/nifi/pull/2084
I ran the `mvn dependency:tree` on current `master` and compared to the
output above. There are only 2 differences aside from the version upgrades:
1. `aopalliance:aopalliance:1.0` moves from
`org.springframework:spring-aop:jar:4.2.4.RELEASE` to
`org.springframework.security:spring-security-core:jar:4.2.3.RELEASE` but has
the same version and license as currently exists.
1. `ring-cors:ring-cors:0.1.5` is a new transitive dependency brought in by
`org.apache.storm:storm-core:jar:1.1.1` after it was upgraded from `1.0.1`.
`ring-cors` uses the [EPL 1.0](https://eclipse.org/org/documents/epl-v10.php),
which is considered [Category B by
Apache](https://www.apache.org/legal/resolved.html#category-b). I believe this
is acceptable from the statement:
> For small amounts of source that is directly consumed by the ASF product
at runtime in source form, and for which that source is unmodified and unlikely
to be changed anyway (say, by virtue of being specified by a standard),
inclusion of appropriately labeled source is also permitted.
There is no existing `LICENSE` or `NOTICE` file in the `nifi-external` or
`nifi-external/nifi-storm-spout` modules, which is where this code is brought
in. @joewitt , please advise on proper license/notice model to follow/copy
here.
> Immediately actionable dependency upgrades
> ------------------------------------------
>
> Key: NIFI-4297
> URL: https://issues.apache.org/jira/browse/NIFI-4297
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Andy LoPresto
> Assignee: Andy LoPresto
> Labels: dependencies, security
>
> The immediately actionable items are:
> * {{org.apache.logging.log4j:log4j-core}} in {{nifi-storm-spout}} 2.1 -> 2.8.2
> * {{org.apache.poi:poi}} in {{nifi-email-processors}} 3.14 -> 3.15
> * {{org.apache.logging.log4j:log4j-core}} in
> {{nifi-elasticsearch-5-processors}} 2.7 -> 2.8.2
> * {{org.springframework:spring-web}} in {{nifi-jetty}} 4.2.4.RELEASE ->
> 4.3.10.RELEASE
> * {{org.springframework:spring-web}} in {{nifi-jetty}} 4.2.4.RELEASE ->
> 4.3.10.RELEASE
> * {{org.apache.derby:derby}} in {{nifi-kite-processors}} 10.11.1.1 ->
> 10.12.1.1 (already excluded)
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-azure-processors}}
> 2.6.0 -> 2.8.6
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-expression-language}}
> 2.6.1 -> 2.8.6
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-standard-utils}}
> 2.6.2 -> 2.8.6
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-hwx-schema-registry}}
> 2.7.3 -> 2.8.6
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-solr-processors}}
> 2.5.4 -> 2.8.6
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)