[
https://issues.apache.org/jira/browse/BEAM-9352?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luke Cwik updated BEAM-9352:
----------------------------
Description:
Jackson relies on delivering a set of packages at a specific version which are
internally compatible with each other. Some of Apache Beam's transitive
dependencies bring in versions which may not be compatible with the version
used with Apache Beam.
Analysis on [pr/10643|[https://github.com/apache/beam/pull/10643]] found that
these are some of those inconsistencies:
{noformat}
> jackson-dataformat-xml-2.8.7.jar is at:
> org.apache.beam:beam-sdks-java-extensions-sql:2.20.0-SNAPSHOT (compile) /
> com.alibaba:fastjson:1.2.49 (compile) /
> org.springframework:spring-webmvc:4.3.7.RELEASE (provided, optional) /
> com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.8.7 (compile,
> optional)
> jackson-dataformat-xml-2.9.9.jar is at:
> org.apache.beam:beam-sdks-java-io-rabbitmq:2.20.0-SNAPSHOT (compile) /
> com.rabbitmq:amqp-client:5.7.3 (compile) /
> io.micrometer:micrometer-core:1.2.0 (compile, optional) /
> org.apache.logging.log4j:log4j-core:2.12.0 (compile, optional) /
> com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9 (compile,
> optional)
< jackson-dataformat-csv-2.10.0.jar is at:
org.apache.beam:beam-sdks-java-io-kafka:2.20.0-SNAPSHOT (compile) /
io.confluent:kafka-avro-serializer:5.3.2 (compile) /
org.apache.kafka:kafka_2.12:5.3.2-ccs (provided) /
com.fasterxml.jackson.dataformat:jackson-dataformat-csv:2.10.0 (provided)
< and 1 dependency path
{noformat}
was:Jackson has a new way to deal with [deserialization security
issues|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10] in
2.10.x so worth the upgrade.
> Ensure consistent usage of jackson version brought in by transitive
> dependencies
> --------------------------------------------------------------------------------
>
> Key: BEAM-9352
> URL: https://issues.apache.org/jira/browse/BEAM-9352
> Project: Beam
> Issue Type: Improvement
> Components: build-system, sdk-java-core
> Reporter: Luke Cwik
> Assignee: Ismaël Mejía
> Priority: Minor
> Fix For: 2.20.0
>
>
> Jackson relies on delivering a set of packages at a specific version which
> are internally compatible with each other. Some of Apache Beam's transitive
> dependencies bring in versions which may not be compatible with the version
> used with Apache Beam.
>
> Analysis on [pr/10643|[https://github.com/apache/beam/pull/10643]] found that
> these are some of those inconsistencies:
>
> {noformat}
> > jackson-dataformat-xml-2.8.7.jar is at:
> > org.apache.beam:beam-sdks-java-extensions-sql:2.20.0-SNAPSHOT (compile) /
> > com.alibaba:fastjson:1.2.49 (compile) /
> > org.springframework:spring-webmvc:4.3.7.RELEASE (provided, optional) /
> > com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.8.7 (compile,
> > optional)
> > jackson-dataformat-xml-2.9.9.jar is at:
> > org.apache.beam:beam-sdks-java-io-rabbitmq:2.20.0-SNAPSHOT (compile) /
> > com.rabbitmq:amqp-client:5.7.3 (compile) /
> > io.micrometer:micrometer-core:1.2.0 (compile, optional) /
> > org.apache.logging.log4j:log4j-core:2.12.0 (compile, optional) /
> > com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.9.9 (compile,
> > optional)
> < jackson-dataformat-csv-2.10.0.jar is at:
> org.apache.beam:beam-sdks-java-io-kafka:2.20.0-SNAPSHOT (compile) /
> io.confluent:kafka-avro-serializer:5.3.2 (compile) /
> org.apache.kafka:kafka_2.12:5.3.2-ccs (provided) /
> com.fasterxml.jackson.dataformat:jackson-dataformat-csv:2.10.0 (provided)
> < and 1 dependency path
> {noformat}
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
