[
https://issues.apache.org/jira/browse/SOLR-16562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17652114#comment-17652114
]
David Smiley commented on SOLR-16562:
-------------------------------------
It should be noted that this change also upgraded Protobuf from 3.21.4 to
3.21.8. This resolves a CVE (great) but it's a very indirect and subtle change
from upgrading a mere caching library that one would think wouldn't have such
dependencies.
I observe that our build.gradle references Caffeine in 3 places, 2 of which
specify Caffeine with transitive=false but not 1, in HDFS. Consequently, we
have all these unwanted transitive dependency impacts. Locally I modified the
build to specify transitive=false in HDFS and re-generated the versions.lock to
see the impact. It decremented some references, lowered some versions (like
Protobuf), and particularly nice is removed lines from the upper non-test
section of the file for Kotlin.
> Upgrade to Caffeine 3.1.2
> -------------------------
>
> Key: SOLR-16562
> URL: https://issues.apache.org/jira/browse/SOLR-16562
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build
> Reporter: Kevin Risden
> Assignee: Kevin Risden
> Priority: Major
> Fix For: main (10.0), 9.2
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> SOLR-16489 found an issue with infinite loop and during that Caffeine 3.1.2
> was released that has some infinite loop detection added.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
