[ https://issues.apache.org/jira/browse/HDFS-15964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17319394#comment-17319394 ]
Steve Loughran commented on HDFS-15964: --------------------------------------- changes like this should be submitted as github PRs. As this changes hdfs too, to ensure yetus does the hdfs build/test the PR needs to make some (any) change in the HDFS module. Adding a newline to the hdfs pom should be enough -we won't merge that. Be aware: changing dependencies are some of the most traumatic changes we can make. A single "change a line in a maven build" can break tests, cause downstream incompatibilities, trigger regressions in deployments which don't surface in unit tests etc etc. There is never a *just* update a JAR. It's "update the JAR, see what breaks, come up with a plan/timetable to fix". This one should be low risk. But things related to: guava, jackson, log4j are project-spanning minefields. T Further reading http://steveloughran.blogspot.com/2016/05/fear-of-dependencies.html > Please update the okhttp version to 4.9.1 > ----------------------------------------- > > Key: HDFS-15964 > URL: https://issues.apache.org/jira/browse/HDFS-15964 > Project: Hadoop HDFS > Issue Type: Bug > Components: build, dfsclient, security > Affects Versions: 3.3.0 > Reporter: helen huang > Priority: Major > Fix For: 3.3.0, 3.4.0 > > > Currently the okhttp used by the hdfs client is 2.7.5. Our fortify scan > flagged two issues with this version. Please update it to the latest (It is > okhttp3 4.9.1 at this point). Thanks! > <dependency> > <groupId>com.squareup.okhttp3</groupId> > <artifactId>okhttp</artifactId> > <version>4.9.1</version> > </dependency> -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org