You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Nathan Gough (JIRA)" <ji...@apache.org> on 2019/07/11 18:44:00 UTC

[jira] [Commented] (NIFI-4300) Further review dependency upgrades

    [ https://issues.apache.org/jira/browse/NIFI-4300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883259#comment-16883259 ] 

Nathan Gough commented on NIFI-4300:
------------------------------------

# org.apache.poi:poi in nifi-media-nar 3.12-beta1 -> 3.15 | Would require upgrading to a new version of tika-core/tika-parses * which have catx json dependencies.
 ** *This version does not appear present anymore. Currently 4.0.1.*
 # commons-fileupload:commons-fileupload in nifi-gcp-nar 1.3.1 -> 1.3.2 | Would require upgrading google-cloud but no production * release since}} 0.8.0. Could manually exclude commons-fileupload and directly depend on the newer version.
 commons-fileupload:commons-fileupload in nifi-gcp-nar 1.3.1 -> 1.3.2 | Would require upgrading google-cloud but no production * release since}} 0.8.0. Could manually exclude commons-fileupload and directly depend on the newer version.
 ** *Does not appear present in nifi-gcp-nar anymore. Only present in solr which can be upgraded (which would require code changes. NIFI-6101):*

{noformat}
[INFO] ---------------< org.apache.nifi:nifi-solr-processors >---------------
[INFO] Building nifi-solr-processors 1.10.0-SNAPSHOT                  [165/435]
[INFO] -------------------------------[ jar ]--------------------------------
[INFO] — maven-dependency-plugin:2.10:tree (default-cli) @ nifi-solr-processors —
[INFO] org.apache.nifi:nifi-solr-processors:jar:1.10.0-SNAPSHOT
[INFO] - org.apache.solr:solr-core:jar:6.2.0:test
[INFO]    - commons-fileupload:commons-fileupload:jar:1.3.1:test{noformat}

 # commons-collections:commons-collections in nifi-hbase_1_1_2-client-service 3.2.1 -> 3.2.2 | Check with Burgess/Bende. Would * require manual exclusive across multiple dependencies and directly dependency on}} 3.2.2
 commons-collections:commons-collections in nifi-hbase_1_1_2-client-service 3.2.1 -> 3.2.2 | Would require manual exclusion.
 ** *Commons-collections is used through a lot of the codebase. It has since been moved to a different project called org.apache.commons:commons-collections4 for v4.x onwards. The below packages contain 3.2.1. Other usages are 3.2.2, which was released Nov 2015.*
  
{noformat}
[INFO] ----------------< org.apache.nifi:nifi-kite-processors >----------------[INFO] Building nifi-kite-processors 1.10.0-SNAPSHOT                  [159/435][INFO] --------------------------------[ jar ]---------------------------------[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-kite-processors ---
[INFO] org.apache.nifi:nifi-kite-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.kitesdk:kite-hadoop-test-dependencies:pom:1.1.0:test
[INFO]    \- org.apache.hadoop:hadoop-common:test-jar:tests:2.6.0:test
[INFO]       \- commons-collections:commons-collections:jar:3.2.1:provided
[INFO] ----------------< org.apache.nifi:nifi-spark-receiver >-----------------

[INFO] Building nifi-spark-receiver 1.10.0-SNAPSHOT                   [411/435][INFO] --------------------------------[ jar ]---------------------------------[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-spark-receiver ---[INFO] org.apache.nifi:nifi-spark-receiver:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.spark:spark-streaming_2.10:jar:1.6.0:provided
[INFO]    \- org.apache.spark:spark-core_2.10:jar:1.6.0:provided
[INFO]       \- org.apache.hadoop:hadoop-client:jar:2.2.0:provided
[INFO]          \- org.apache.hadoop:hadoop-common:jar:2.2.0:provided
[INFO]             \- commons-configuration:commons-configuration:jar:1.6:provided
[INFO]                \- commons-collections:commons-collections:jar:3.2.1:provided
 
 
[INFO] ----------------< org.apache.nifi:nifi-hive-processors >----------------
[INFO] Building nifi-hive-processors 1.10.0-SNAPSHOT                  [279/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive-processors ---
[INFO] org.apache.nifi:nifi-hive-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:2.6.2:compile
[INFO]    \- org.apache.hadoop:hadoop-common:jar:2.6.2:compile
[INFO]       \- commons-collections:commons-collections:jar:3.2.1:compile
[INFO]
[INFO] -------------------< org.apache.nifi:nifi-hive-nar >--------------------
[INFO] Building nifi-hive-nar 1.10.0-SNAPSHOT                         [280/435]
[INFO] --------------------------------[ nar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive-nar ---
[INFO] org.apache.nifi:nifi-hive-nar:nar:1.10.0-SNAPSHOT
[INFO] \- org.apache.nifi:nifi-hive-processors:jar:1.10.0-SNAPSHOT:compile
[INFO]    \- org.apache.hadoop:hadoop-client:jar:2.6.2:compile
[INFO]       \- org.apache.hadoop:hadoop-common:jar:2.6.2:compile
[INFO]          \- commons-collections:commons-collections:jar:3.2.1:compile
[INFO]
[INFO] --------------< org.apache.nifi:nifi-hive_1_1-processors >--------------
[INFO] Building nifi-hive_1_1-processors 1.10.0-SNAPSHOT              [281/435]
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive_1_1-processors ---
[INFO] org.apache.nifi:nifi-hive_1_1-processors:jar:1.10.0-SNAPSHOT
[INFO] \- org.apache.hadoop:hadoop-client:jar:2.6.2:compile
[INFO]    \- org.apache.hadoop:hadoop-common:jar:2.6.2:compile
[INFO]       \- commons-collections:commons-collections:jar:3.2.1:compile
[INFO]
[INFO] -----------------< org.apache.nifi:nifi-hive_1_1-nar >------------------
[INFO] Building nifi-hive_1_1-nar 1.10.0-SNAPSHOT                     [282/435]
[INFO] --------------------------------[ nar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:2.10:tree (default-cli) @ nifi-hive_1_1-nar ---
[INFO] org.apache.nifi:nifi-hive_1_1-nar:nar:1.10.0-SNAPSHOT
[INFO] \- org.apache.nifi:nifi-hive_1_1-processors:jar:1.10.0-SNAPSHOT:compile
[INFO]    \- org.apache.hadoop:hadoop-client:jar:2.6.2:compile
[INFO]       \- org.apache.hadoop:hadoop-common:jar:2.6.2:compile
[INFO]          \- commons-collections:commons-collections:jar:3.2.1:compile
{noformat}
 

 

 

 

 

> Further review dependency upgrades
> ----------------------------------
>
>                 Key: NIFI-4300
>                 URL: https://issues.apache.org/jira/browse/NIFI-4300
>             Project: Apache NiFi
>          Issue Type: Sub-task
>          Components: Extensions
>    Affects Versions: 1.3.0
>            Reporter: Andy LoPresto
>            Priority: Major
>              Labels: dependencies, security
>
> For further review: 
> * {{org.apache.poi:poi}} in {{nifi-media-nar}} 3.12-beta1 -> 3.15	| Would require upgrading to a new version of tika-core/tika-parses * which have catx json dependencies.	
> * {{commons-fileupload:commons-fileupload}} in {{nifi-gcp-nar}} 1.3.1 -> 1.3.2 | Would require upgrading google-cloud but no production * release since}} 0.8.0. Could manually exclude commons-fileupload and directly depend on the newer version.	
> * {{commons-fileupload:commons-fileupload}} in {{nifi-gcp-nar}} 1.3.1 -> 1.3.2 | Would require upgrading google-cloud but no production * release since}} 0.8.0. Could manually exclude commons-fileupload and directly depend on the newer version.	
> * {{commons-collections:commons-collections}} in {{nifi-hbase_1_1_2-client-service}} 3.2.1 -> 3.2.2 | Check with Burgess/Bende. Would * require manual exclusive across multiple dependencies and directly dependency on}} 3.2.2.	
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hdfs-processors}} 3.1 -> 4.5.3 | 3.x EOL. Would require hadoop upgrade or manually * exclusive. However, manual exclusive is super risky given the version difference.	
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hdfs-processors}} 3.1 -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual exclusive is super risky given the version difference.	
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-gcp-nar}} 2.1.3 -> 2.8.6 | Possible manual exclusion, but multiple dependencies * requiring the depender (google-auth-library-oauth2-http).	
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hive-processors}} 3.0.1 -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual exclusion is super risky given the version difference.	
> * {{commons-httpclient:commons-httpclient}} in {{nifi-hive-processors}} 3.0.1 -> 4.5.3 | 3.x EOL Would require hadoop upgrade or manually * exclusive. However, manual exclusion is super risky given the version difference.	
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-elasticsearch-5-processors}} 2.8.1 -> 2.8.6 | Can upgrade to}} 2.8.6 of * org.elasticsearch.client:transport}} in {{(and update nifi-expression-language to}} 2.8.6). Confirm with Bende.	
> * {{commons-httpclient:commons-httpclient}} in {{nifi-ranger-nar}} 4.2.5 -> 4.5.3 | Would require manual exclusion through hadoop-common * and hadoop-auth.	
> * {{com.fasterxml.jackson.core:jackson-core}} in {{nifi-spark-receiver}} 2.6.5 -> 2.8.6 | Could update direct dependency on * jackson-databind but would conflict with spark-core_2.10.	
> * {{commons-collections:commons-collections}} in {{nifi-hbase_1_1_2-client-service}} 3.2.1 -> 3.2.2 | Would require manual exclusion.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)