[ https://issues.apache.org/jira/browse/DRILL-8267?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569285#comment-17569285 ]
ASF GitHub Bot commented on DRILL-8267: --------------------------------------- vdiravka commented on code in PR #2609: URL: https://github.com/apache/drill/pull/2609#discussion_r926320649 ########## pom.xml: ########## @@ -1984,17 +1983,6 @@ <artifactId>xercesImpl</artifactId> <version>${xerces.version}</version> </dependency> - <dependency> Review Comment: This management is for two purposes: 1. Per commit DRILL-7713 I understand the dependency was added to remove vulnerability from the transitive dependencies. 2. To avoid using `commons-logging` as dependency. https://github.com/apache/commons-configuration/blob/master/pom.xml#L301 In case we are sure `commons-configuration` dependency is [1.10](https://github.com/apache/phoenix-omid/blob/ba43c8e1d73543fafa102c57af79516c4dc88860/pom.xml#L175) or newer version in Drill after removing this management and `commons-logging` is not used (successful mvn build is enough for this, because [commons-logging](https://github.com/apache/drill/blob/master/pom.xml#L663) is banned in Drill), we can remove this management. The other question do we really need it?! It is possible in future the new dependency will have `commons-configuration` as a transitive dependency and we will face with the same issues, but now they are solved. > Remove commons-configuration dependency management > -------------------------------------------------- > > Key: DRILL-8267 > URL: https://issues.apache.org/jira/browse/DRILL-8267 > Project: Apache Drill > Issue Type: Improvement > Reporter: PJ Fanning > Priority: Major > > https://mvnrepository.com/artifact/commons-configuration/commons-configuration/1.10 > This jar is EOL and has many very insecure dependencies. > Looks like this dependency is not used by Drill or any of its dependencies. > Hadoop uses commons-configuration2 instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)