PARQUET-1367 upgrade a few libs for security reasons#508
Conversation
… 1.7.25 and snappy to 1.1.7.2
| <dependency> | ||
| <groupId>org.xerial.snappy</groupId> | ||
| <artifactId>snappy-java</artifactId> | ||
| <version>1.1.2.6</version> |
There was a problem hiding this comment.
could you please link the CVEs for snappy-java?
There was a problem hiding this comment.
There is no CVE that I found for snappy-java. But here at Oracle the security team won't approve use of software more than 18 months or 5 versions old. snappy-java 1.1.26 is 26 months and 9 releases old. For that reason I included it in the PR. (Same applies for fastutil and slf4j.)
|
Looks like there are compilation failures, probably because of the Guava upgrade. Could you please have a look at it? |
|
Thanks, I've now pushed in the fix. |
|
I attempted to upgrade elephant bird (since 4.4 is also quite old), but it appears that from version 4.5 onwards they removed some packages, including |
|
Just rebased. It looks like a lot of the stuff is already on the master branch. |
|
Closing this since it is outdated |
3 participants
There are a number of libraries which need updating. Among other reasons, there are several security issues filed in CVE for Hadoop and guava