[
https://issues.apache.org/jira/browse/YARN-11389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17644738#comment-17644738
]
ASF GitHub Bot commented on YARN-11389:
---------------------------------------
steveloughran commented on PR #5192:
URL: https://github.com/apache/hadoop/pull/5192#issuecomment-1342536481
i think the maven plugin itself should be upgraded, rather than trying to
add new dependencies (and do the old ones get excluded? how do you guarantee
the new ones get picked up?). what happens later when an upgrade does take
place? will we remember to remove what may then be older dependencies
this is a compile time issue only, no cve in any redistributables, so hard
to justify creating classpath/version hell for.
> Upgrade spring-core to 5.3.20 in wro4j-maven-plugin
> ----------------------------------------------------
>
> Key: YARN-11389
> URL: https://issues.apache.org/jira/browse/YARN-11389
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: build, yarn-ui-v2
> Affects Versions: 3.4.0
> Reporter: D M Murali Krishna Reddy
> Assignee: D M Murali Krishna Reddy
> Priority: Minor
> Labels: pull-request-available, transitive-cve
>
> Currently during yarn-ui build we are using vulnerable version of
> spring-core-3.1.1.RELEASE.jar which has serveral critical and high
> vulnerablilites, we need to upgrade to a version 5.3.20+
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
