ramitg254 commented on PR #6251: URL: https://github.com/apache/hive/pull/6251#issuecomment-3724841620
> @ramitg254 , I understand and totally get why these changes are made but I'm not in favour of such changes because it invites `NoClassDefFoundError ` , `NoSuchMethodError` at Runtime. It's possible that commons-lang3.17 and 3.20 have API compatibility but the correct way is to wait for hadoop (_as they will also have CVE_) to upgrade to non-CVE version and then we can upgrade to new hadoop version. Upgrading to 3.17.0 on other hand makes perfect sense and should be done (_but it won't solve the CVE._) > > I just wanted to express my concerns, I won't be in way if other PMC/committers are ok with this approach. But my stance is -0 on this (https://hive.apache.org/community/bylaws/#voting) Thanks @Aggarwal-Raghav for sharing the concern, so based on what I understood I think we can do either of two things here: 1. just upgrade that 3.14.0 version which is defined in hive pom itself and remove that changes I added in dependency management so that no transitive dependency should be touched coming from tez and hadoop. 2. or I'll close this pr now and can be taken care later on when it is already been upgraded for hadoop and tez -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
