[
https://issues.apache.org/jira/browse/PHOENIX-6610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458942#comment-17458942
]
ASF GitHub Bot commented on PHOENIX-6610:
-----------------------------------------
stoty commented on pull request #68:
URL: https://github.com/apache/phoenix-connectors/pull/68#issuecomment-993221199
Trying to fix indirect dependencies that are not even shipped in the product
is a losing game, we should not go down that path.
We already have about a dozen of CVEs coming in from the indirect
dependencies (Hadop, Hbase), and we as a policy do not do anything about them
(apart from upgrading the direct dependency version where we can).
When automated tools find those, we always tell whoever runs them to fix it
in the bad dependency.
You could even argue that hiding those dependencies is counter-productive,
as even if the problem versions don't show up in a scan, they will still be
there in the runtime, and make the production system vulnereable.
(Also 2.16.0 has been released in the meantime)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
> [Phoenix-connectors] Upgrade Log4j dependency to address CVE-2021-44228
> ------------------------------------------------------------------------
>
> Key: PHOENIX-6610
> URL: https://issues.apache.org/jira/browse/PHOENIX-6610
> Project: Phoenix
> Issue Type: Bug
> Reporter: Ankit Singhal
> Assignee: Ankit Singhal
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
