I'm looking at the repo in github and I see that both branch-2 and branch-2.6 have hbase-thirdparty at 4.1.10, via HBASE-29086.
My recollection is that there's an incompatibility that prevents upgrading it for branch-2.5. Given that there's still life in 2.5, it would be good to get this sorted. On Wed, Mar 19, 2025 at 9:16 AM Istvan Toth <[email protected]> wrote: > > Hi! > > I've recently run some static checkers on 2.5.11, and found a few CVEs in > thirdparty. > branch-2 still uses thirdparty 4.1.5, which is quite old. > > Is there a specific reason why thirdparty wasn't updated on branch-2.x ? > > If 4.1.6 is for some reason incompatible with branch-2, we should still > release something that fixes the CVEs on branch-2. (Maybe 4.1.5.x ?) > > Istvan
