THRIFT-5375 Move java dependency tomcat-embed to the crossTest configuration... #2340
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…emove outdated unnecessary compile time dependency. For the java libthrift, tomcat-embedded is only used in crossTests, I have moved it to crossTest configuration so the libthrift java package does not require this unnecessary dependency for compilation. Instead, the java-servlet dependency has been reintroduced in compile time. I've also taken this opportunity to update both dependenciesto a later version.
|
It has been merged, not rejected. |
|
Hi, Can we expect a release for that fix ? It's important for us since the imported tomcat-embed 8.5.46 contains a lot of CVEs (cf https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/version_id-200037/Apache-Tomcat-8.5.4.html). Thanks, |
|
Hi! Any update a release for this fix? |
|
There are plans to release 0.15.0 in late summer. |
|
Hi @Jens-G. Just noticed there is a 0.14.2 release 6 days ago. Is this PR included in it? |
|
I know, I prepared that release myself. It only contains two additional fixes on top of 0.14.1. |
Jens-G
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…to remove outdated unnecessary compile time dependency.
When using java package libthrift 0.14.0, I've noticed a new compile time dependency for the package to tomcat-embedded-core. Upon reviewing, this package is quite old and is a security risk. When I looked at where and how this package is being used, I noticed that it's only refered to by crossTest and to provide access to the javax.servlet classes.
Since tomcat-embedded is only used in crossTests, I have moved it to crossTest configuration so the libthrift java package does not require this unnecessary dependency for compilation. Instead, the java-servlet dependency has been reintroduced in compile time. I've also taken this opportunity to update both dependenciesto a later version.