[
https://issues.apache.org/jira/browse/CASSJAVA-108?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bret McGuire reassigned CASSJAVA-108:
-------------------------------------
Assignee: Bret McGuire
> Update org.json (and very likely ESRI) dependency
> -------------------------------------------------
>
> Key: CASSJAVA-108
> URL: https://issues.apache.org/jira/browse/CASSJAVA-108
> Project: Apache Cassandra Java driver
> Issue Type: Improvement
> Reporter: Bret McGuire
> Assignee: Bret McGuire
> Priority: Normal
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> A [dependabot PR|https://github.com/apache/cassandra-java-driver/pull/1761]
> to update org.json:json sent me down a bit of a rabbit hole re: our
> org.json/ESRI story. First, a bit of context.
>
> The Java driver doesn't directly use org.json:json. This lib is actually [a
> dependency of the ESRI
> lib|https://mvnrepository.com/artifact/com.esri.geometry/esri-geometry-api/1.2.1]
> we use for supporting geographic types in DSE. We keep the version of the
> ESRI dependency fixed so that we're always using the same version used by the
> server. org.json:json occasionally has some CVEs of it's own, however, so
> some time ago we [introduced an explicit dependency on this
> lib|https://github.com/apache/cassandra-java-driver/commit/ca8de6ac15d7e0a15f5476f35481b417f823afc0]
> in order to able to version it independently from what ESRI uses.
>
> The complication is that the server is changing the version of ESRI it uses.
> As of DSE 6.8.35 the version of ESRI used on DSE has been bumped to 2.2.4 and
> the version of org.json:json has been bumped to 20230227.
>
> I think we're basically stuck with bumping the dependency and mentioning that
> we might see issues with older versions of DSE.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
