kezhenxu94 opened a new pull request, #13944:
URL: https://github.com/apache/skywalking/pull/13944

   ### Bump up dependencies to clear CVE alerts on shipped OAP jars
   
   Follows up the earlier dependency bumps in the `11.0.0` cycle with a few 
more that Dependabot / scanners flag on the shipped OAP jars.
   
   | Dependency | From | To | Location |
   |---|---|---|---|
   | netty (`netty.version`) | `4.2.12.Final` | `4.2.15.Final` | root `pom.xml` 
|
   | jackson (`jackson.version`) | `2.18.6` | `2.18.8` | 
`oap-server-bom/pom.xml` |
   | jackson-databind (`jackson-databind.version`) | `2.16.0` | `2.18.8` | 
`oap-server-bom/pom.xml` |
   | commons-codec (`commons-codec.version`) | `1.11` | `1.13` | 
`oap-server-bom/pom.xml` |
   
   `jackson-databind` was managed by a separate property and had been left 
behind while the other jackson artifacts moved to `2.18.x`. This realigns the 
whole jackson family to a single managed version (`2.18.8`), which is generally 
the recommended jackson setup and avoids a mixed core/databind combination on 
the classpath.
   
   All bumped versions are within the JDK 11 baseline SkyWalking targets 
(`maven.compiler.release=11`), so no source changes are required — these are 
managed-version bumps only.
   
   - [x] Update the [`CHANGES` 
log](https://github.com/apache/skywalking/blob/master/docs/en/changes/changes.md).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to