Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nippy 2.15.1 upgrade #1044

Merged
merged 3 commits into from Aug 27, 2020
Merged

Nippy 2.15.1 upgrade #1044

merged 3 commits into from Aug 27, 2020

Conversation

keytiong
Copy link

A security advisory for users of nippy older than 2.15.0 to upgrade to 2.15.0.

The PR is to upgrade crux's nippy version to 2.15.0 plus associated dependency conflict resolutions due to the upgrade.

@jarohen jarohen self-assigned this Aug 19, 2020
@jarohen jarohen added this to Awaiting Merge in XTDB Development via automation Aug 19, 2020
@jarohen jarohen moved this from Awaiting Merge to Selected in XTDB Development Aug 19, 2020
@jarohen
Copy link
Member

jarohen commented Aug 19, 2020

Hi @keytiong - many thanks for bringing this to our attention.

We'll unfortunately need to check whether we were inadvertently depending on the Serializable behaviour before we merge this one - will investigate.

Cheers!

James

@jarohen jarohen moved this from Selected to Awaiting Merge in XTDB Development Aug 24, 2020
@jarohen jarohen self-requested a review August 24, 2020 08:49
@jarohen jarohen force-pushed the nippy-2.15 branch 2 times, most recently from bb1d32d to 432e754 Compare August 24, 2020 16:59
@jarohen jarohen requested review from hraberg and jonpither and removed request for jarohen August 24, 2020 17:08
@jarohen
Copy link
Member

jarohen commented Aug 24, 2020

Have included a crux.nippy.allow-serializable-classes JVM property so that users can specify an allow-list of classes that they're already using in their Crux documents. Pulling in @hraberg for another pair of eyes.

@jarohen jarohen removed the request for review from jonpither August 24, 2020 17:10
@jarohen jarohen mentioned this pull request Aug 24, 2020
Closed
@jarohen
Copy link
Member

jarohen commented Aug 24, 2020

Let's see if we can put that JVM property in Nippy instead ^^

@jarohen jarohen modified the milestone: 1.11.0 Aug 25, 2020
hraberg
hraberg approved these changes Aug 25, 2020
View reviewed changes
Copy link
Contributor

@hraberg hraberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC there was a reason we're stuck on this version of Nippy and have an explicit version of encore we depend on. But cannot remember why atm.

That said, this exposure of general serialised Java objects is likely something we want to close down before it gets to Nippy, so that's another way of dealing with this, but for now, assuming everything still works, as I don't recall what it was that kept us back, let's go ahead with this.

@jarohen jarohen moved this from Awaiting Merge to In progress in XTDB Development Aug 27, 2020
@jarohen jarohen merged commit d875b40 into xtdb:master Aug 27, 2020
XTDB Development automation moved this from In progress to Awaiting release Aug 27, 2020
@jarohen jarohen removed the blocked label Aug 27, 2020
@jarohen
Copy link
Member

jarohen commented Aug 27, 2020
edited

Merged - thanks again @keytiong 😄

@jarohen jarohen changed the title Nippy 2.15.0 upgrade Nippy 2.15. upgrade Aug 28, 2020
@jarohen jarohen changed the title Nippy 2.15. upgrade Nippy 2.15.1 upgrade Aug 28, 2020
@keytiong keytiong deleted the nippy-2.15 branch May 28, 2021 16:32
@jarohen jarohen added the 1.x label Apr 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hraberg hraberg hraberg approved these changes

Assignees

@hraberg hraberg

@jarohen jarohen

Labels
1.x security
Projects
1.x
Archived in project
XTDB Development
Done
Milestone
1.11.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@keytiong @jarohen @hraberg