griffindvs commented on PR #4376:
URL: https://github.com/apache/cassandra/pull/4376#issuecomment-3289635156
Thank you @smiklosovic and @michaelsembwever for the reviews and guidance!
1. I double-checked that the branch is up-to-date with cassandra-5.0:
```
$ git rebase cassandra-5.0
Current branch 5-snakeyaml-2.1 is up to date.
```
2. I've added the update for jackson-dataformat-yaml to 2.19.2 with the
exclusion for snakeyaml retained in
https://github.com/apache/cassandra/pull/4376/commits/8e65c821a61f0304aa158049931aa5accca0ece1
3. Agreed -- Should I squash all commits in the branch with myself as a
co-author after reviews are completed?
4. Updated in
https://github.com/apache/cassandra/pull/4376/commits/ad06ee33afa7e2b0db61fe93020e63bdd00f36e9
5. Fixed in
https://github.com/apache/cassandra/pull/4376/commits/8e65c821a61f0304aa158049931aa5accca0ece1
6. I think that description would be accurate for the original commit since
all jackson libraries were updated to 2.15.3. In this PR however, we are just
updating jackson-dataformat-yaml since the others were updated elsewhere, so
@smiklosovic makes a good point. I fixed this in
https://github.com/apache/cassandra/pull/4376/commits/8e65c821a61f0304aa158049931aa5accca0ece1.
7. Included the update to 2.19.2 in
https://github.com/apache/cassandra/pull/4376/commits/8e65c821a61f0304aa158049931aa5accca0ece1
8. I ran the dependency-check successfully, though it did catch a couple of
unrelated CVEs (that would probably be addressed separately):
```
Dependency-Check Failure:
One or more dependencies were identified with vulnerabilities that have a
CVSS score greater than or equal to '1.0':
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-resolver/pom.xml
(pkg:maven/io.netty/[email protected],
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535,
CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-transport-classes-epoll/pom.xml
(pkg:maven/io.netty/[email protected],
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535,
CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
cassandra-driver-core-3.12.1-shaded.jar/META-INF/maven/io.netty/netty-transport-native-unix-common/pom.xml
(pkg:maven/io.netty/[email protected],
cpe:2.3:a:netty:netty:4.1.94:*:*:*:*:*:*:*): CVE-2025-24970, CVE-2024-47535,
CVE-2025-55163, CVE-2025-58056, CVE-2025-58057
netty-transport-4.1.119.Final.jar
(pkg:maven/io.netty/[email protected],
cpe:2.3:a:netty:netty:4.1.119:*:*:*:*:*:*:*): CVE-2025-55163, CVE-2025-58056,
CVE-2025-58057
See the dependency-check report for more details.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
