-
Notifications
You must be signed in to change notification settings - Fork 28.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-39250][BUILD] Upgrade Jackson to 2.13.3 #36627
Conversation
Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
Hi, @MaxGekk . I set this as a blocker for Apache Spark 3.3.0. |
<fasterxml.jackson.version>2.13.2</fasterxml.jackson.version> | ||
<fasterxml.jackson.databind.version>2.13.2.1</fasterxml.jackson.databind.version> | ||
<fasterxml.jackson.version>2.13.3</fasterxml.jackson.version> | ||
<fasterxml.jackson.databind.version>2.13.3</fasterxml.jackson.databind.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I add this property because of SPARK-38665, and it can be removed because all jackson jars share same version again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you look at the history, SPARK-38665 is not the only one did that. databind
is frequently separated and merged back repeatedly. :) That's the reason why I decided not to remote that property back in this PR.
[SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
[SPARK-33695][BUILD] Upgrade to jackson to 2.10.5 and jackson-databind to 2.10.5.1
[SPARK-28728][BUILD] Bump Jackson Databind to 2.9.9.3
Thank you, @HyukjinKwon , @pan3793 , @MaxGekk . Merged to master/3.3 to unblock next RC. |
### What changes were proposed in this pull request? This PR aims to upgrade Jackson to 2.13.3. ### Why are the changes needed? Although Spark is not affected, Jackson 2.13.0~2.13.2 has the following regression which affects the user apps. - FasterXML/jackson-databind#3446 Here is a full release note. - https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.3 ### Does this PR introduce _any_ user-facing change? No. The previous version is not released yet. ### How was this patch tested? Pass the CIs. Closes #36627 from dongjoon-hyun/SPARK-39250. Authored-by: Dongjoon Hyun <dongjoon@apache.org> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org> (cherry picked from commit 73438c0) Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
After merge of the changes to 3.3, I observe the error:
Is it just a coincidence? For example: https://github.com/apache/spark/runs/6552079071?check_suite_focus=true |
Yes, that failure was irrelevant to this PR, @MaxGekk . |
What changes were proposed in this pull request?
This PR aims to upgrade Jackson to 2.13.3.
Why are the changes needed?
Although Spark is not affected, Jackson 2.13.0~2.13.2 has the following regression which affects the user apps.
java.lang.StringBuffer
cannot be deserialized FasterXML/jackson-databind#3446Here is a full release note.
Does this PR introduce any user-facing change?
No. The previous version is not released yet.
How was this patch tested?
Pass the CIs.