ksobolew opened a new pull request, #1613: URL: https://github.com/apache/phoenix/pull/1613
These descriptors are included in the dependencies, from which the shaded JARs are compiled, but they do not really describe the contents of those JARs - instead, they are information about *their* transitive dependencies. These descriptors would be included in the shaded JAR and misrepresent the actual contents of the JAR. Also, multiple dependencies may include the same descriptor from different versions of a particular transitive dependency, and the Shade plugin will pick one at random to include in the shaded JAR. Usually the one picked will be from a different version than we actually include in the JAR. For example, for `jackson-databind` we depend on version 2.12.6, but the Maven descriptor in the shaded JAR would be from version 2.4.0. As an additional concern, these descriptors would confuse security scanners, which would flag the JAR as including an old, vulnerable version of a dependency even if that's not actually true. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@phoenix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
