[ https://issues.apache.org/jira/browse/SPARK-39725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611230#comment-17611230 ]
Bjørn Jørgensen commented on SPARK-39725: ----------------------------------------- Well yes, we do download it.. build spark and log to a file. ./build/mvn -DskipTests clean package --log-file log.txt In the log.txt file you will see that we download both versions. Then to find where the usage are we can mvn dependency:tree -Ddetail=true --log-file treelog.txt So now in treelog.txt file you can find org.eclipse.jetty:jetty-io:jar:9.4.46.v20220331But it's only used by org.seleniumhq.selenium:htmlunit-driver https://github.com/SeleniumHQ/htmlunit-driver/commit/1368e9432e9b1f0d11078c774b99e3390fa6edb3#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8L24 And scalatestplus:selenium have a new release that is 5 hours old(!) where this dependensi is updated. https://github.com/scalatest/scalatestplus-selenium/releases/tag/release-3.2.14.0-for-selenium-4.4 So the thing her is to see what they have don in SPARK-40397 Is this a thing that you will try to do? CC [~yangjie01] > Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622 > ------------------------------------------------------------ > > Key: SPARK-39725 > URL: https://issues.apache.org/jira/browse/SPARK-39725 > Project: Spark > Issue Type: Bug > Components: Build > Affects Versions: 3.4.0 > Reporter: Bjørn Jørgensen > Assignee: Bjørn Jørgensen > Priority: Major > Fix For: 3.4.0 > > Attachments: jetty-io-spark.png > > > [Release note |https://github.com/eclipse/jetty.project/releases] > [CVE-2022-2047|https://nvd.nist.gov/vuln/detail/CVE-2022-2047] -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org