[ https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17565079#comment-17565079 ]
Ayush Saxena commented on HADOOP-18033: --------------------------------------- {quote}is it ok to downgrade jackson to 2.12.7? - has latest CVE fixes but not this change {quote} Sounds good to me , if we get rid of javax.ws.rs-api dependency without compromising on the CVE, I think there isn't anything better which we can think of. [~aajisaka] too pointed that we can explore moving to 2.12.7. Initially this Jira too was raised to move Jackson to 2.12.x latest. I think if the build doesn't complain post removing javax.ws.rs-api and moving to 2.12.7, then we are sorted > Upgrade fasterxml Jackson to 2.13.0 > ----------------------------------- > > Key: HADOOP-18033 > URL: https://issues.apache.org/jira/browse/HADOOP-18033 > Project: Hadoop Common > Issue Type: Improvement > Components: build > Reporter: Akira Ajisaka > Assignee: Viraj Jasani > Priority: Major > Labels: pull-request-available > Fix For: 3.4.0, 3.3.2 > > Time Spent: 6h > Remaining Estimate: 0h > > Spark 3.2.0 depends on Jackson 2.12.3. Let's upgrade to 2.12.5 (2.12.x latest > as of now) or upper. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org