[jira] [Commented] (RATIS-1507) [thirdparty] Clean up the vulnerabilities from dependencies

[Tsz-wo Sze (Jira)]

    [ 
https://issues.apache.org/jira/browse/RATIS-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17481253#comment-17481253
 ] 

Tsz-wo Sze commented on RATIS-1507:
-----------------------------------

Current dependency tree
{code}
[INFO] ---------------< org.apache.ratis:ratis-thirdparty-misc >---------------
[INFO] Building Apache Ratis Thirdparty Miscellaneous 0.8.0-SNAPSHOT      [2/3]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ 
ratis-thirdparty-misc ---
[INFO] org.apache.ratis:ratis-thirdparty-misc:jar:0.8.0-SNAPSHOT
[INFO] +- com.google.protobuf:protobuf-java:jar:3.19.2:compile
[INFO] +- io.grpc:grpc-netty:jar:1.43.2:compile
[INFO] |  +- io.grpc:grpc-core:jar:1.43.2:compile (version selected from 
constraint [1.43.2,1.43.2])
[INFO] |  |  +- com.google.android:annotations:jar:4.1.1.4:runtime
[INFO] |  |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.63.Final:compile
[INFO] |  |  +- io.netty:netty-common:jar:4.1.63.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.63.Final:compile
[INFO] |  |  +- io.netty:netty-transport:jar:4.1.63.Final:compile
[INFO] |  |  |  \- io.netty:netty-resolver:jar:4.1.63.Final:compile
[INFO] |  |  +- io.netty:netty-codec:jar:4.1.63.Final:compile
[INFO] |  |  +- io.netty:netty-handler:jar:4.1.63.Final:compile
[INFO] |  |  \- io.netty:netty-codec-http:jar:4.1.63.Final:compile
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.63.Final:runtime
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.63.Final:runtime
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.9.0:compile
[INFO] |  \- io.perfmark:perfmark-api:jar:0.23.0:runtime
[INFO] +- io.grpc:grpc-protobuf:jar:1.43.2:compile
[INFO] |  +- io.grpc:grpc-api:jar:1.43.2:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile
[INFO] |  \- io.grpc:grpc-protobuf-lite:jar:1.43.2:compile
[INFO] +- io.grpc:grpc-stub:jar:1.43.2:compile
[INFO] +- io.grpc:grpc-context:jar:1.43.2:compile
[INFO] +- com.google.guava:guava:jar:28.2-jre:compile
[INFO] |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  +- 
com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  +- org.checkerframework:checker-qual:jar:2.10.0:compile
[INFO] |  \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- io.netty:netty-all:jar:4.1.63.Final:compile
[INFO] +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] +- io.netty:netty-tcnative-boringssl-static:jar:2.0.38.Final:compile
[INFO] +- io.opencensus:opencensus-api:jar:0.21.0:compile
[INFO] \- io.opencensus:opencensus-contrib-grpc-metrics:jar:0.21.0:compile
{code}


> [thirdparty] Clean up the vulnerabilities from dependencies
> -----------------------------------------------------------
>
>                 Key: RATIS-1507
>                 URL: https://issues.apache.org/jira/browse/RATIS-1507
>             Project: Ratis
>          Issue Type: Bug
>          Components: thirdparty
>            Reporter: Tsz-wo Sze
>            Assignee: Tsz-wo Sze
>            Priority: Major
>
> Clean up the vulnerabilities from dependencies; see 
> https://mvnrepository.com/artifact/org.apache.ratis/ratis-thirdparty/0.7.0
> We should
> - bump guava version.
> - Move junit and slf4j-log4j12 to test since they are only used in test.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)