My general take on this is that it's ok to upgrade a dependency in a patch release if the dependency upgrade itself is a new patch release of the same minor version. The changelog of Tika 1.24 seems to include not only bug fixes but also some enhancements[1], so I'd rather do a 8.6 release in the near future than backport this dependency upgrade to 8.5.
[1] https://tika.apache.org/1.24/index.html On Thu, Apr 2, 2020 at 9:33 PM Cassandra Targett <[email protected]> wrote: > Should we consider backporting SOLR-14367 (the most recent Tika upgrade)? > It addresses a CVE in Tika, and while I think we usually avoid changing 3rd > party component versions in patch releases, but maybe we should in this > case? The upgrade also looks like it was pretty straightforward (drop-in > replacement). > > Cassandra > On Apr 2, 2020, 12:47 PM -0500, Ignacio Vera <[email protected]>, wrote: > > Hi, > > I propose a quick 8.5.1 bugfix release and I volunteer as RM. The main > motivation for this release is LUCENE-9300 where Jim addressed a serious > bug that can lead to data corruption when merging indices via IW#addIndices. > > If there are no objections I am planning to create a RC early next week. > > Best regards, > > Ignacio > > > > -- Adrien
