jjiang037 commented on PR #5905: URL: https://github.com/apache/hive/pull/5905#issuecomment-3076777639
@okumin By checking the current dependency tree (without this patch), we can find that: 1. Direct dependency:`hive‑standalone‑metastore‑server` already declares `commons‑beanutils 1.9.4` itself . 2. Hadoop-common transitive dependency:`hadoop‑common 3.4.1` (see its [pom ](https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common/3.4.1) also brings in `commons‑beanutils 1.9.4` transitively 3. opencsv 5.11.x still requires BeanUtils (now 1.10.0/1.11.0) in its compile deps, so a jar remains on the class‑path even after the upgrade (Maven Repository(https://mvnrepository.com/artifact/com.opencsv/opencsv/5.11)). Simply upgrading opencsv and deleting the metastore line would leave the vulnerable 1.9.4 coming from Hadoop and an uncontrolled version clash with whatever opencsv asks for. I attache the current dependency tree (without the patch) for you to check. Thanks [dep_tree (3).txt](https://github.com/user-attachments/files/21247641/dep_tree.3.txt) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org For additional commands, e-mail: gitbox-h...@hive.apache.org
