[ https://issues.apache.org/jira/browse/TEZ-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17116417#comment-17116417 ]
Ashutosh Chauhan commented on TEZ-4169: --------------------------------------- +1 > Remove unused transitive compile time jackson dependencies > ---------------------------------------------------------- > > Key: TEZ-4169 > URL: https://issues.apache.org/jira/browse/TEZ-4169 > Project: Apache Tez > Issue Type: Bug > Reporter: László Bodor > Assignee: László Bodor > Priority: Major > Attachments: TEZ-4169.01.patch, TEZ-4169.02.patch, TEZ-4169.03.patch, > TEZ-4169.04.patch, TEZ-4169.05.patch, TEZ-4169.06.patch, TEZ-4169.07.patch, > TEZ-4169.07.patch > > > Tez has many occurrences of jackson dependencies in its dep tree, however > none of them is direct: > {code} > lbodor@HW12459 ~/apache/tez master mvn dependency:tree | grep > jackson | wc -l > 204 > {code} > This is misleading, because tez protobuf history plugin does depend on > jackson mapper, so it should have jackson as a direct dependency. > Similarly to other dependencies, transitive deps can also trigger security > scan alerts, complaining about outdated jackson dependencies. It would be > cleaner to: > 1. completely remove unused transitive jackson depdendencies and re-add them > in test scope where it's needed for clarity's sake > 2. include jackson as direct dependency where it's used (this could move > focus to that place when there is a need for an upgrade) -- This message was sent by Atlassian Jira (v8.3.4#803005)