[
https://issues.apache.org/jira/browse/CASSANDRA-15868?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17139422#comment-17139422
]
Aleksey Yeschenko commented on CASSANDRA-15868:
-----------------------------------------------
Hey Matt. To answer your questions from Slack:
{quote}
Do you typically accept these type of dependency updates?
https://issues.apache.org/jira/browse/CASSANDRA-14473 suggests you do not,
though there are legitimate vulnerabilities in this case.
Is the minor version bump concerning to anyone? We have heard Netty may not
guarantee API compatibility across minor versions.
Would adding test results to the PR (unit tests, or running
https://github.com/apache/cassandra-dtest) help?
{quote}
I'm hesitant to make a 4.0 -> 4.1 upgrade here for the 3.11 branch, as 4.1 is
known to not be fully compatible with 4.0, and we'd have to do quite a bit of
testing to safely upgrade the dependency.
bq. Any idea what kind of ETA we might expect for this type of issue / PR?
I'll commit the 4.0 branch version right now, but hold off upgrade the 3.11
branch. The bar for that would be higher, though we've never explicitly defined
it.
> Update Netty version to 4.1.50 because there are security issues in 4.1.37
> --------------------------------------------------------------------------
>
> Key: CASSANDRA-15868
> URL: https://issues.apache.org/jira/browse/CASSANDRA-15868
> Project: Cassandra
> Issue Type: Task
> Components: Dependencies
> Reporter: Stefan Miklosovic
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 3.11.7, 4.0-beta
>
> Attachments: dependency-check-report.html
>
>
> Please see attached HTML report from OWASP dependency check.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
