Re: How should we do about dependency update?

We don't have a complete set of shaded artefacts -so it's not fair to point at the downstream users and say it's "your own fault". We need to do more here ourselves. Here: it is a CVE, they should upgrade anyway. Guava is special because it has been so brittle cross versions and so widely used by

Re: How should we do about dependency update?

Hi Sean, Thanks for the valuable feedback. Good point on not using dependency classes in public API parameters. One example is HADOOP-15502 (blame me for breaking the API) >From what I know, the biggest risk is that downstreamers include depende

Re: How should we do about dependency update?

speaking with my HBase hat on instead of my Hadoop hat, when the Hadoop project publishes that there's a CVE but does not include a maintenance release that mitigates it for a given minor release line, we assume that means the Hadoop project is saying that release line is EOM and should be abandone

How should we do about dependency update?

Hi Hadoop developers, I've always had this question and I don't know the answer. For the last few months I finally spent time to deal with the vulnerability reports from our internal dependency check tools. Say in HADOOP-16152 we update Jetty