Samrat002 commented on PR #51: URL: https://github.com/apache/flink-connector-pulsar/pull/51#issuecomment-1583879236
Thank you @tisonkun, @syhily taking time in reviewing the small change. my intension was to exclude snakeyaml and mitigate vulnerablity, I missed to see the added unnecessary dependencies creating technical debt in future upgrades. > If it should not be in the fat jar at all, you can submit a PR to Pulsar upstream and we reduce this dependency by upgrade pulsar version. Yes, i can submit a pr in pulsar upstream and reduce this dependency by upgrading the pulsar version. This would be cleaner way. > BTW, Pulsar client didn't use snakeyaml internally. So the CVE you report on snakeyaml won't occur on [flink-connector-pulsar](https://issues.apache.org/jira/browse/FLINK-connector-pulsar). I have one query regarding this, Do we really need pulsar client all here in flink connector pulsar ? Cant we just use the only pulsar client that is used , using pulsar client all will bring other client that is not required here . Looking forward to hear your opinion on it -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@flink.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
