[jira] [Updated] (HBASE-26903) Bump httpclient from 4.5.3 to 4.5.13

[Andrew Kyle Purtell (Jira)]

     [ 
https://issues.apache.org/jira/browse/HBASE-26903?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrew Kyle Purtell updated HBASE-26903:
----------------------------------------
    Description: 
Dependabot auto-generated dependency upgrade: 
https://github.com/apache/hbase/pull/4291

We can't accept the dependabot PR as-is because it causes a unit test failure. 
Bump the dependency and fix the test by hand. 

There is a comment in our POM indicating this is a known issue:

{noformat}
    <!-- Updating the httpclient will break hbase-rest. It writes out URLs with 
'//' in it                                                                      
                    
      especially when writing out 'no column families'. Later httpclients 
collapse the '//'                                                               
                          
      into single '/' as double-slash is not legal in an URL. Breaks 
#testDelete in                                                                  
                               
      TestRemoteTable. -->  
{noformat}

Staying back on a version of httpclient with CVE listed vulnerabilities just 
for this isn't a good option. 

  was:
Dependabot auto-generated dependency upgrade: 
https://github.com/apache/hbase/pull/4291

We can't accept the dependabot PR as-is because it causes a unit test failure. 
Bump the dependency and fix the test by hand. 

There is a comment in our POM indicating this is a known issue:

{code}
    <!-- Updating the httpclient will break hbase-rest. It writes out URLs with 
'//' in it                                                                      
                    
      especially when writing out 'no column families'. Later httpclients 
collapse the '//'                                                               
                          
      into single '/' as double-slash is not legal in an URL. Breaks 
#testDelete in                                                                  
                               
      TestRemoteTable. -->  
{code}

Staying back on a version of httpclient with CVE listed vulnerabilities just 
for this isn't a good option. 


> Bump httpclient from 4.5.3 to 4.5.13
> ------------------------------------
>
>                 Key: HBASE-26903
>                 URL: https://issues.apache.org/jira/browse/HBASE-26903
>             Project: HBase
>          Issue Type: Task
>            Reporter: Andrew Kyle Purtell
>            Assignee: Andrew Kyle Purtell
>            Priority: Minor
>             Fix For: 2.5.0, 3.0.0-alpha-3, 2.4.12
>
>
> Dependabot auto-generated dependency upgrade: 
> https://github.com/apache/hbase/pull/4291
> We can't accept the dependabot PR as-is because it causes a unit test 
> failure. Bump the dependency and fix the test by hand. 
> There is a comment in our POM indicating this is a known issue:
> {noformat}
>     <!-- Updating the httpclient will break hbase-rest. It writes out URLs 
> with '//' in it                                                               
>                            
>       especially when writing out 'no column families'. Later httpclients 
> collapse the '//'                                                             
>                             
>       into single '/' as double-slash is not legal in an URL. Breaks 
> #testDelete in                                                                
>                                  
>       TestRemoteTable. -->  
> {noformat}
> Staying back on a version of httpclient with CVE listed vulnerabilities just 
> for this isn't a good option. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)