[
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16900327#comment-16900327
]
Sean Busbey commented on HBASE-22728:
-------------------------------------
{quote}
If the ans is no due to downstreamers, they can break even with removal of
Jackson 1 from classpath now. May be I am missing something specific? Or
"version upgrade should be done in major release only" is a very strict rule to
follow even if version in use is ~ 7 yr old?
{quote}
that guideline is specifically about non backwards compatible version changes.
if we're going to make downstream deal with removing jackson 1 from the
classpath then we should try to just have no exposed jackson for downstream at
the end of the day. I think [~Apache9] has mentioned wanting to move to shaded
gson, but I haven't kept up on how that went. If there's a relocated gson in
hbase-thirdparty maybe it's time to move branch-1 to it as well.
> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
> Key: HBASE-22728
> URL: https://issues.apache.org/jira/browse/HBASE-22728
> Project: HBase
> Issue Type: Sub-task
> Affects Versions: 1.4.10, 1.3.5
> Reporter: Andrew Purtell
> Assignee: Viraj Jasani
> Priority: Major
> Fix For: 1.5.0, 1.3.6, 1.4.11
>
> Attachments: HBASE-22728.branch-1.01.patch,
> HBASE-22728.branch-1.02.patch, HBASE-22728.branch-1.04.patch,
> HBASE-22728.branch-1.06.patch, dependency_codehaus.out
>
>
> Avoid Jackson versions and dependencies with known CVEs
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
