sqoop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Voros (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SQOOP-3322) Version differences between ivy configurations
Date Tue, 08 May 2018 12:34:00 GMT

    [ https://issues.apache.org/jira/browse/SQOOP-3322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16467355#comment-16467355

Daniel Voros commented on SQOOP-3322:

One more thing I'd include in this ticket is bumping (defining to be more precise, and not
just getting via transitive dependencies) jackson-databind version from 2.3.1 to 2.9.5 that
isn't affected by CVE-2017-7525.

> Version differences between ivy configurations
> ----------------------------------------------
>                 Key: SQOOP-3322
>                 URL: https://issues.apache.org/jira/browse/SQOOP-3322
>             Project: Sqoop
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 1.4.7
>            Reporter: Daniel Voros
>            Assignee: Daniel Voros
>            Priority: Minor
> We have multiple ivy configurations defined in ivy.xml.
>  - The {{redist}} configuration is used to select the artifacts that need to be distributed
with Sqoop in its tar.gz.
>  - The {{common}} configuration is used to set the classpath during compilation (also
refered to as 'hadoop classpath')
>  -  The {{test}} configuration is used to set the classpath during junit execution. It
extends the {{common}} config.
> Some artifacts end up having different versions between these three configurations, which
means we're using different versions during compilation/testing/runtime.
> Differences:
> ||Artifact||redist||common (compilation)||test||
> |commons-pool|not in redist|1.5.4|*1.6*|
> |commons-codec|1.4|1.9|*1.9*|
> |commons-io|1.4|2.4|*2.4*|
> |commons-logging|1.1.1|1.2|*1.2*|
> |slf4j-api|1.6.1|1.7.7|*1.7.7*|
> I'd suggest using the version *in bold* in all three configurations to use the latest
> To achieve this we should exclude these artifacts from the transitive dependencies and
define them explicitly.

This message was sent by Atlassian JIRA

View raw message