[
https://issues.apache.org/jira/browse/SPARK-39725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611230#comment-17611230
]
Bjørn Jørgensen commented on SPARK-39725:
-----------------------------------------
Well yes, we do download it..
build spark and log to a file. ./build/mvn -DskipTests clean package --log-file
log.txt
In the log.txt file you will see that we download both versions.
Then to find where the usage are we can mvn dependency:tree -Ddetail=true
--log-file treelog.txt
So now in treelog.txt file you can find
org.eclipse.jetty:jetty-io:jar:9.4.46.v20220331But it's only used by
org.seleniumhq.selenium:htmlunit-driver
https://github.com/SeleniumHQ/htmlunit-driver/commit/1368e9432e9b1f0d11078c774b99e3390fa6edb3#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8L24
And scalatestplus:selenium have a new release that is 5 hours old(!) where this
dependensi is updated.
https://github.com/scalatest/scalatestplus-selenium/releases/tag/release-3.2.14.0-for-selenium-4.4
So the thing her is to see what they have don in SPARK-40397
Is this a thing that you will try to do?
CC [~yangjie01]
> Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622
> ------------------------------------------------------------
>
> Key: SPARK-39725
> URL: https://issues.apache.org/jira/browse/SPARK-39725
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 3.4.0
> Reporter: Bjørn Jørgensen
> Assignee: Bjørn Jørgensen
> Priority: Major
> Fix For: 3.4.0
>
> Attachments: jetty-io-spark.png
>
>
> [Release note |https://github.com/eclipse/jetty.project/releases]
> [CVE-2022-2047|https://nvd.nist.gov/vuln/detail/CVE-2022-2047]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
