[jira] [Commented] (TEZ-4169) Decouple from Hadoop's jackson version and shade the latest in Tez

Mon, 07 Nov 2022 23:39:07 -0800 


    [ 
https://issues.apache.org/jira/browse/TEZ-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630246#comment-17630246
 ] 

Hadoop QA commented on TEZ-4169:
--------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} reexec {color} | {color:blue}  0m  
0s{color} | {color:blue} Docker mode activated. {color} |
| {color:red}-1{color} | {color:red} patch {color} | {color:red}  0m  6s{color} 
| {color:red} TEZ-4169 does not apply to master. Rebase required? Wrong Branch? 
See https://cwiki.apache.org/confluence/display/TEZ/How+to+Contribute+to+Tez 
for help. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Issue | TEZ-4169 |
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/13004981/TEZ-4169.09.patch |
| Console output | 
https://ci-hadoop.apache.org/job/PreCommit-TEZ-Build/128/console |
| versions | git=2.17.1 |
| Powered by | Apache Yetus 0.12.0 https://yetus.apache.org |


This message was automatically generated.



> Decouple from Hadoop's jackson version and shade the latest in Tez
> ------------------------------------------------------------------
>
>                 Key: TEZ-4169
>                 URL: https://issues.apache.org/jira/browse/TEZ-4169
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: László Bodor
>            Assignee: László Bodor
>            Priority: Major
>         Attachments: TEZ-4169.01.patch, TEZ-4169.02.patch, TEZ-4169.03.patch, 
> TEZ-4169.04.patch, TEZ-4169.05.patch, TEZ-4169.06.patch, TEZ-4169.07.patch, 
> TEZ-4169.07.patch, TEZ-4169.08.patch, TEZ-4169.08.patch, TEZ-4169.09.patch
>
>
> Tez has many occurrences of jackson dependencies in its dep tree, however 
> none of them is direct:
> {code}
>  lbodor@HW12459  ~/apache/tez   master  mvn dependency:tree | grep 
> jackson | wc -l
>      204
> {code}
> This is misleading, because tez protobuf history plugin does depend on 
> jackson mapper, so it should have jackson as a direct dependency.
> Similarly to other dependencies, transitive deps can also trigger security 
> scan alerts, complaining about outdated jackson dependencies. It would be 
> cleaner to:
> 1. completely remove unused transitive jackson depdendencies and re-add them 
> in test scope where it's needed for clarity's sake
> 2. include jackson as direct dependency where it's used (this could move 
> focus to that place when there is a need for an upgrade)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to