flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ufuk Celebi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-8308) Update yajl-ruby dependency to 1.3.1 or higher
Date Wed, 31 Jan 2018 13:32:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-8308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16346827#comment-16346827

Ufuk Celebi commented on FLINK-8308:

A naive question first: would we notice any breaking changes during compile time or would
we have to manually check things?

Upgrading the Jekyll/Ruby version sounds ok to me. We also have a docker build environment
that would need to run the newer Ruby version as well. In order to update that, you can coordinate
with [~plucas].

[~fhueske] What's your opinion? We can also ask the Apache security team whether it's ok to
ignore this and keep things as they are.

> Update yajl-ruby dependency to 1.3.1 or higher
> ----------------------------------------------
>                 Key: FLINK-8308
>                 URL: https://issues.apache.org/jira/browse/FLINK-8308
>             Project: Flink
>          Issue Type: Task
>          Components: Project Website
>            Reporter: Fabian Hueske
>            Assignee: Steven Langbroek
>            Priority: Critical
>             Fix For: 1.5.0, 1.4.1
> We got notified that yajl-ruby < 1.3.1, a dependency which is used to build the Flink
website, has a  security vulnerability of high severity.
> We should update yajl-ruby to 1.3.1 or higher.
> Since the website is built offline and served as static HTML, I don't think this is a
super critical issue (please correct me if I'm wrong), but we should resolve this soon.

This message was sent by Atlassian JIRA

View raw message