virajjasani commented on a change in pull request #505: HBASE-22863 : Cleanup
transitive Jackson1 vulnerable dependencies(forward-port HBASE-22728)
URL: https://github.com/apache/hbase/pull/505#discussion_r314968185
##########
File path: hbase-zookeeper/pom.xml
##########
@@ -274,6 +284,16 @@
<dependency>
<groupId>org.apache.hadoop</groupId>
<artifactId>hadoop-common</artifactId>
+ <exclusions>
Review comment:
@Apache9 this doesn't work as expected. For instance, if downstream app has
hbase-client dependency and if we have just excluded from parent pom,
downstream would still get vulnerable Jackson1 dependencies from hbase-client.
In fact, the same is done for branch-1:
https://github.com/apache/hbase/commit/4b34d24f7a12510f69cf4d2e190359dc0b271ead
(removal in individual modules so that downstreamer won't pull in from HBase)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
