You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@tez.apache.org by "László Bodor (Jira)" <ji...@apache.org> on 2021/04/12 07:08:00 UTC

[jira] [Updated] (TEZ-4303) Exclude compile-time httpclient dependency from Tez

     [ https://issues.apache.org/jira/browse/TEZ-4303?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

László Bodor updated TEZ-4303:
------------------------------
    Description: 
Tez doesn't depend on org.apache.httpcomponents.httpclient directly. In order to avoid security warnings related to this component (e.g. CVE-2020-13956), we might exclude it.
With exclusions, only test scoped dependency should remain in the tez dependency tree, like:
{code}
[INFO] +- org.apache.hadoop:hadoop-common:test-jar:tests:3.1.3:test
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:test
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.4:test
{code}



> Exclude compile-time httpclient dependency from Tez
> ---------------------------------------------------
>
>                 Key: TEZ-4303
>                 URL: https://issues.apache.org/jira/browse/TEZ-4303
>             Project: Apache Tez
>          Issue Type: Bug
>            Reporter: László Bodor
>            Assignee: László Bodor
>            Priority: Major
>
> Tez doesn't depend on org.apache.httpcomponents.httpclient directly. In order to avoid security warnings related to this component (e.g. CVE-2020-13956), we might exclude it.
> With exclusions, only test scoped dependency should remain in the tez dependency tree, like:
> {code}
> [INFO] +- org.apache.hadoop:hadoop-common:test-jar:tests:3.1.3:test
> [INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:test
> [INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.4:test
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)