Bump deps with security vulnerabilities #541
Conversation
|
Lukas Senicourt seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
kupferk
left a comment
kupferk
left a comment
There was a problem hiding this comment.
I cannot simply chose versions of my preference. For most libraries, I need to pick the versions that come along with Spark. Those libraries are marked as "provided" anyway, and it is the responsibility of the platform provider to perform any patching.
I need to check the remaining upgrades (grpc and AWS).
|
|
||
| <!-- Default Hadoop version (3.3) --> | ||
| <hadoop.version>3.3.4</hadoop.version> | ||
| <hadoop.version>3.3.6</hadoop.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides Hadoop 3.3.4
| <antlr4.version>4.9.3</antlr4.version> | ||
| <avro.version>1.11.4</avro.version> | ||
| <commons-cli.version>1.5.0</commons-cli.version> | ||
| <commons-cli.version>1.11.0</commons-cli.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides commons-cli 1.5.0
| <commons-collections.version>3.2.2</commons-collections.version> | ||
| <commons-compiler.version>3.1.9</commons-compiler.version> | ||
| <commons-compress.version>1.23.0</commons-compress.version> | ||
| <commons-compress.version>1.28.0</commons-compress.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides commons-compress 1.23.0
| <commons-compress.version>1.28.0</commons-compress.version> | ||
| <commons-io.version>2.16.1</commons-io.version> | ||
| <commons-lang3.version>3.12.0</commons-lang3.version> | ||
| <commons-lang3.version>3.20.0</commons-lang3.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides commons-lang3 version 3.12.0
| <derby.version>10.14.2.0</derby.version> | ||
| <dropwizard.version>4.2.0</dropwizard.version> | ||
| <gson.version>2.2.4</gson.version> | ||
| <gson.version>2.13.2</gson.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides gson version 2.2.4
| <jersey.version>2.40</jersey.version> | ||
| <joda-time.version>2.12.5</joda-time.version> | ||
| <json4s.version>3.7.0-M11</json4s.version> | ||
| <json4s.version>4.1.0-M8</json4s.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides json4.3 version 3.7.0-M11
| <log4j.slf4j-impl>log4j-slf4j2-impl</log4j.slf4j-impl> | ||
| <lz4.version>1.8.0</lz4.version> | ||
| <netty-all.version>4.1.96.Final</netty-all.version> | ||
| <netty-all.version>4.2.7.Final</netty-all.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides version 4.1.96.Final
| <curator-client.version>2.12.0</curator-client.version> | ||
| <curator.version>2.7.1</curator.version> | ||
| <derby.version>10.14.2.0</derby.version> | ||
| <derby.version>10.17.1.0</derby.version> |
There was a problem hiding this comment.
Spark 3.5.7 provides version 10.14.2.0
| <httpclient.version>4.5.6</httpclient.version> | ||
| <httpcore.version>4.4.10</httpcore.version> | ||
| <ivy.version>2.4.0</ivy.version> | ||
| <ivy.version>2.5.3</ivy.version> |
There was a problem hiding this comment.
This looks like the CDH build profile. I can't remember, but I assume that I chose the version being provided by Cloudera.
| <junit.version>5.8.2</junit.version> | ||
| <netty.version>3.9.9.Final</netty.version> | ||
| <protobuf.version>2.5.0</protobuf.version> | ||
| <protobuf.version>4.33.1</protobuf.version> |
There was a problem hiding this comment.
I need to check that. Spark version 3.4 and lower provide protobuf version 2.5.0. This means that the scope of protobuf (compile/provided) also needs to depend on the Spark version.
3 participants
No description provided.