[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16893818#comment-16893818
]
Sean Busbey commented on HBASE-22728:
-------------------------------------
I've had a long standing desire to segregate hadoop and its transitive
dependencies within {{lib}}, similar to how we do for jruby or jdk11 stuff. My
reasoning was mostly that our current "replace hadoop with your hadoop version"
is really hard with out that, and normally if {{hadoop}} is in the classpath
you end up getting everything in the classpath twice anyways. if we can easily
identify "all the hadoop stuff" then we can leave it out of the classpath when
we are able to ask hadoop itself for a current classpath.
Would completing that work make this more feasible?
We could effectively just remove jackson from our direct dependencies and then
emphasize that folks need to also upgrade the hadoop they're using so that the
jackson we end up with in that hadoop-if-not-provided area doesn't get used.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
