roczei commented on code in PR #47795: URL: https://github.com/apache/spark/pull/47795#discussion_r1722273437
########## dev/deps/spark-deps-hadoop-3-hive-2.3: ########## @@ -154,6 +154,9 @@ json4s-scalap_2.13/4.0.7//json4s-scalap_2.13-4.0.7.jar jsr305/3.0.0//jsr305-3.0.0.jar jta/1.1//jta-1.1.jar jul-to-slf4j/2.0.16//jul-to-slf4j-2.0.16.jar +kotlin-stdlib-jdk7/2.0.10//kotlin-stdlib-jdk7-2.0.10.jar +kotlin-stdlib-jdk8/2.0.10//kotlin-stdlib-jdk8-2.0.10.jar +kotlin-stdlib/2.0.10//kotlin-stdlib-2.0.10.jar Review Comment: @pan3793, yes, I agree that it is bad that we have to add kotlin-stdlib/2.0.10//kotlin-stdlib-2.0.10.jar as a dependency. I have just removed the other two extra dependencies because we do not need them. Related comment: https://github.com/apache/spark/pull/47795#discussion_r1722268608 As I mentioned in the pull request's description the kubernetes-client's maintainers do not want upgrade to okhttp 4.x because it's based on Kotlin, they recommend to exclude 3.x. Related documentation: https://github.com/fabric8io/kubernetes-client/blob/main/doc/KubernetesClientWithIPv6Clusters.md Currently I do not see other solution to resolve these CVEs: CVE-2021-0341, CVE-2023-0833 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
