kezhenxu94 opened a new pull request, #13944: URL: https://github.com/apache/skywalking/pull/13944
### Bump up dependencies to clear CVE alerts on shipped OAP jars Follows up the earlier dependency bumps in the `11.0.0` cycle with a few more that Dependabot / scanners flag on the shipped OAP jars. | Dependency | From | To | Location | |---|---|---|---| | netty (`netty.version`) | `4.2.12.Final` | `4.2.15.Final` | root `pom.xml` | | jackson (`jackson.version`) | `2.18.6` | `2.18.8` | `oap-server-bom/pom.xml` | | jackson-databind (`jackson-databind.version`) | `2.16.0` | `2.18.8` | `oap-server-bom/pom.xml` | | commons-codec (`commons-codec.version`) | `1.11` | `1.13` | `oap-server-bom/pom.xml` | `jackson-databind` was managed by a separate property and had been left behind while the other jackson artifacts moved to `2.18.x`. This realigns the whole jackson family to a single managed version (`2.18.8`), which is generally the recommended jackson setup and avoids a mixed core/databind combination on the classpath. All bumped versions are within the JDK 11 baseline SkyWalking targets (`maven.compiler.release=11`), so no source changes are required — these are managed-version bumps only. - [x] Update the [`CHANGES` log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
