martin-g commented on code in PR #36321:
URL: https://github.com/apache/spark/pull/36321#discussion_r858376595
##########
pom.xml:
##########
@@ -207,6 +207,11 @@
<commons-cli.version>1.5.0</commons-cli.version>
<bouncycastle.version>1.60</bouncycastle.version>
<tink.version>1.6.1</tink.version>
+ <!-- When upgrading `netty.version`, need to check whether
+ the version of `netty-tcnative-classes.version` also needs to be
upgraded
Review Comment:
No. `-bom`s are included in `<dependencyManagement>` section and they just
define defaults.
See
https://github.com/apache/avro/commit/387f497285d49ffc577263d154bca968e2b5ea65
for example with Jackson.
The idea is that you **import** the BOM in the parent pom.xml and then in
the children Maven modules you declare the dependencies without specifying
**version**, it is managed by the BOM. In the example above Avro uses 1.12.6
for jackson-core and 1.12.6.1 for jackson-databind (with a CVE fix) but those
versions are not mentioned in Avro's pom.xml files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
