virajjasani edited a comment on issue #505: HBASE-22863 : Cleanup transitive Jackson1 vulnerable dependencies(forward-port HBASE-22728) URL: https://github.com/apache/hbase/pull/505#issuecomment-522288323 > Is it safe to just exclude these transitive dependencies? At least hadoop adds them as dependencies... @Apache9 Since we have moved to Jackson2, we can safely exclude these dependencies. At some places, we require jackson-mapper-asl:1.9.13(CVE exposed) at test scope to run tests like HBaseTestUtility.startMiniCluster(). But definitely not required at compile scope as we would expose these to downstreamers otherwise. This is partly forwardport from [HBASE-22728](https://issues.apache.org/jira/browse/HBASE-22728) to master and branch-2.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
