Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Exclude grpc-okhttp dependency and set okhttp3 & okio version #11025

Merged
merged 1 commit into from
Jun 25, 2021
Merged

[Security] Exclude grpc-okhttp dependency and set okhttp3 & okio version #11025

merged 1 commit into from
Jun 25, 2021

Conversation

lhotari
Copy link
Member

@lhotari lhotari commented Jun 22, 2021

Motivation

  • okhttp 2.7.4 dependency causes Pulsar to be flagged as vulnerable.
    this dependency is pulled in by the unnecessary grpc-okhttp dependency.

Modifications

  • exclude grprc-okhttp and it's transitive dependencies

  • set okhttp3 and okio versions in dependency management since the okio versio
    changed when exclusions were added.

@lhotari
[Security] Exclude grpc-okhttp dependency and set okhttp3 & okio version
8aadce4 
- okhttp 2.7.4 dependency causes Pulsar to be flagged as vulnerable.
  this dependency is pulled in by the unnecessary grpc-okhttp dependency.

- set okhttp3 and okio versions in dependency management since the okio versio
  changed when exclusions were added.
@sijie sijie added this to the 2.9.0 milestone Jun 24, 2021
@sijie sijie merged commit 59a8291 into apache:master Jun 25, 2021
bharanic-dev pushed a commit to bharanic-dev/pulsar that referenced this pull request Mar 18, 2022
@lhotari @ciaocloud
[Security] Exclude grpc-okhttp dependency and set okhttp3 & okio vers…
c119320 
…ion (apache#11025)

### Motivation

- okhttp 2.7.4 dependency causes Pulsar to be flagged as vulnerable.
  this dependency is pulled in by the unnecessary grpc-okhttp dependency.

### Modifications

- exclude grprc-okhttp and it's transitive dependencies

- set okhttp3 and okio versions in dependency management since the okio versio
  changed when exclusions were added.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sijie sijie sijie approved these changes

@aahmed-se aahmed-se Awaiting requested review from aahmed-se

@merlimat merlimat Awaiting requested review from merlimat

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@eolivelli eolivelli Awaiting requested review from eolivelli

Assignees

@lhotari lhotari

Labels
None yet
Projects
None yet
Milestone
2.9.0
Development

Successfully merging this pull request may close these issues.
2 participants
@lhotari @sijie