There's consensus here to deprecate metrics-reporter-config in 5.0. Is there any objection to removing it in 5.1?
> On Aug 11, 2023, at 10:01 AM, Maxim Muzafarov <mmu...@apache.org> wrote: > > +1 > > The rationale for deprecating/removing this library is not just that > it is obsolete and doesn't get updates. In fact, when the > metrics-reporter-config [1] was added the dropwizard metrics library > (formerly com.yammer.metrics [2]) didn't support exporting metrics to > files like csv, so it made sense at that time. Now it is fully covered > by the drowpwizrd reporters [3], so users can achieve the same > behaviour without the need for metrics-reporter-config. And that's why > I have a lot of doubts about it being used by anyone, but deprecation > is friendlier because there's no rush to remove it. :-) > > > [1] https://issues.apache.org/jira/browse/CASSANDRA-4430 > [2] https://issues.apache.org/jira/browse/CASSANDRA-5838 > [3] https://metrics.dropwizard.io/4.2.0/getting-started.html#other-reporting > > On Fri, 11 Aug 2023 at 16:50, Caleb Rackliffe <calebrackli...@gmail.com> > wrote: >> >> +1 >> >>> On Aug 11, 2023, at 8:10 AM, Brandon Williams <dri...@gmail.com> wrote: >>> >>> +1 >>> >>> Kind Regards, >>> Brandon >>> >>>> On Fri, Aug 11, 2023 at 8:08 AM Ekaterina Dimitrova >>>> <e.dimitr...@gmail.com> wrote: >>>> >>>> >>>> “ The rationale for this proposed deprecation is that the upcoming 5.0 >>>> release is a good time to evaluate dependencies that are no longer >>>> receiving updates and will become risks in the future.” >>>> >>>> Thank you for raising it, I support your proposal for deprecation >>>> >>>>> On Fri, 11 Aug 2023 at 8:55, Abe Ratnofsky <a...@aber.io> wrote: >>>>> >>>>> Hey folks, >>>>> >>>>> Opening a thread to get input on a proposed dependency deprecation in >>>>> 5.0: metrics-reporter-config has been archived for 3 years and not >>>>> updated in nearly 6 years. >>>>> >>>>> This project has a minor security issue with its usage of unsafe YAML >>>>> loading via snakeyaml’s unprotected Constructor: >>>>> https://nvd.nist.gov/vuln/detail/CVE-2022-1471 >>>>> >>>>> This CVE is reasonable to suppress, since operators should be able to >>>>> trust their YAML configuration files. >>>>> >>>>> The rationale for this proposed deprecation is that the upcoming 5.0 >>>>> release is a good time to evaluate dependencies that are no longer >>>>> receiving updates and will become risks in the future. >>>>> >>>>> https://issues.apache.org/jira/browse/CASSANDRA-18743 >>>>> >>>>> — >>>>> Abe >>>>>
