Github user srowen commented on the pull request: https://github.com/apache/spark/pull/10887#issuecomment-174288516 My major question is simply, does this break anything? the problem is that not all transitive dependencies use this version of the httpclient. Although I suspect it would be OK, assuming 4.5 is backwards-compatible with 4.3, and tests would help reveal problems (and you're going to have to update the dependencies file in the repo anyway to reflect the change), then this is substantially OK. Is there a particular fix we need in 4.5? One good thing to do is examine the current set of dependencies and evaluate all the different versions of this we use, and from where, and skim release notes to see if there are likely any breaking changes. Secondly, we probably need to clean up handling of this dependency more thoroughly. Version needs to be declared once in the parent, and we probably need to remove most if not all exclusions of this at this stage. They should be redundant, but that also bears thinking through. It's not a trivial exercise, but it would certainly help to study the state of this fairly important dependency and clean it up. We can tolerate a little breakage risk with Spark 2.x.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org