[jira] [Updated] (TEZ-4169) Remove transitive compile time jackson dependency

Tue, 05 May 2020 08:49:33 -0700 


     [ 
https://issues.apache.org/jira/browse/TEZ-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

László Bodor updated TEZ-4169:
------------------------------
    Description: 
Tez has many occurrences of jackson dependencies in its dep tree, however none 
of them is direct:
{code}
 lbodor@HW12459  ~/apache/tez   master  mvn dependency:tree | grep jackson 
| wc -l
     204
{code}

It's misleading because tez protobuf history plugin does depend on jackson 
mapper, so it should have jackson as a direct dependency.

Similarly to other dependencies, transitive deps can also trigger security scan 
alerts, complaining about outdated jackson dependencies. It would be cleaner to 
completely remove unused transitive jackson depdendencies and re-add them in 
test scope where it's needed for clarity's sake.

  was:
Tez has many occurrences of jackson dependencies in its dep tree, however none 
of them is direct:
{code}
 lbodor@HW12459  ~/apache/tez   master  mvn dependency:tree | grep jackson 
| wc -l
     204
{code}
Similarly to other dependencies, this can also trigger security scan alerts, 
complaining about outdated jackson dependencies. It would be cleaner to 
completely remove this and re-add in test scope where it's needed for clarity's 
sake.


> Remove transitive compile time jackson dependency
> -------------------------------------------------
>
>                 Key: TEZ-4169
>                 URL: https://issues.apache.org/jira/browse/TEZ-4169
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: László Bodor
>            Assignee: László Bodor
>            Priority: Major
>
> Tez has many occurrences of jackson dependencies in its dep tree, however 
> none of them is direct:
> {code}
>  lbodor@HW12459  ~/apache/tez   master  mvn dependency:tree | grep 
> jackson | wc -l
>      204
> {code}
> It's misleading because tez protobuf history plugin does depend on jackson 
> mapper, so it should have jackson as a direct dependency.
> Similarly to other dependencies, transitive deps can also trigger security 
> scan alerts, complaining about outdated jackson dependencies. It would be 
> cleaner to completely remove unused transitive jackson depdendencies and 
> re-add them in test scope where it's needed for clarity's sake.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to