This is an automated email from the ASF dual-hosted git repository. stoty pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/master by this push: new 3492933940 PHOENIX-7181 Do not declare commons-configuration2 dependency 3492933940 is described below commit 3492933940807737f08ef778469db9fa84b281d0 Author: Istvan Toth <st...@apache.org> AuthorDate: Mon Jan 15 15:39:03 2024 +0100 PHOENIX-7181 Do not declare commons-configuration2 dependency also remove redundant commons-configuration2 from phoenix-mapreduce-byo-shaded-hbase --- phoenix-core-client/pom.xml | 4 ---- phoenix-core/pom.xml | 5 ----- phoenix-mapreduce-byo-shaded-hbase/pom.xml | 9 +++++++++ pom.xml | 13 +++++++------ 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/phoenix-core-client/pom.xml b/phoenix-core-client/pom.xml index 1d886b3bae..ba02beaa33 100644 --- a/phoenix-core-client/pom.xml +++ b/phoenix-core-client/pom.xml @@ -394,10 +394,6 @@ <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-configuration2</artifactId> - </dependency> <dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId> diff --git a/phoenix-core/pom.xml b/phoenix-core/pom.xml index 85f95b5bf3..704bb5d55e 100644 --- a/phoenix-core/pom.xml +++ b/phoenix-core/pom.xml @@ -349,11 +349,6 @@ <artifactId>phoenix-shaded-commons-cli</artifactId> <scope>test</scope> </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-configuration2</artifactId> - <scope>test</scope> - </dependency> <dependency> <groupId>com.github.stephenc.findbugs</groupId> <artifactId>findbugs-annotations</artifactId> diff --git a/phoenix-mapreduce-byo-shaded-hbase/pom.xml b/phoenix-mapreduce-byo-shaded-hbase/pom.xml index 7cf6a98ea8..d9ccfd30c9 100644 --- a/phoenix-mapreduce-byo-shaded-hbase/pom.xml +++ b/phoenix-mapreduce-byo-shaded-hbase/pom.xml @@ -574,6 +574,15 @@ <version>4.0.0</version> <scope>provided</scope> </dependency> + <dependency> + <!-- provided by Hadoop --> + <groupId>org.apache.commons</groupId> + <artifactId>commons-configuration2</artifactId> + <!-- random version, for exclusion only --> + <version>2.1.1</version> + <scope>provided</scope> + </dependency> + <!-- Other dependencies we don't want to shade in, but are not transitively excluded by the above for some reason --> diff --git a/pom.xml b/pom.xml index 807baa4002..7c598fb80c 100644 --- a/pom.xml +++ b/pom.xml @@ -116,7 +116,6 @@ <commons-csv.version>1.0</commons-csv.version> <commons-compress.version>1.21</commons-compress.version> <sqlline.version>1.9.0</sqlline.version> - <commons-configuration2.version>2.1.1</commons-configuration2.version> <jcip-annotations.version>1.0-1</jcip-annotations.version> <jsr305.version>2.0.1</jsr305.version> <snappy.version>0.3</snappy.version> @@ -445,6 +444,13 @@ <!-- These change too frequently, so we just rely on the hbase transitive deps --> org.apache.hbase.thirdparty:* </ignoredUsedUndeclaredDependency> + <ignoredUsedUndeclaredDependency> + <!-- We only need this because the Hadoop Metrics API leak. + By not declaring the dependency, we can pick up the CVE fixed version from Hadoop + without having to also declare a dependency on commons-text dependency + (which we do not use directly at all)--> + org.apache.commons:commons-configuration2 + </ignoredUsedUndeclaredDependency> </ignoredUsedUndeclaredDependencies> </configuration> <executions> @@ -1518,11 +1524,6 @@ <artifactId>commons-lang3</artifactId> <version>${commons-lang.version}</version> </dependency> - <dependency> - <groupId>org.apache.commons</groupId> - <artifactId>commons-configuration2</artifactId> - <version>${commons-configuration2.version}</version> - </dependency> <dependency> <groupId>commons-io</groupId> <artifactId>commons-io</artifactId>