You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@phoenix.apache.org by st...@apache.org on 2024/01/17 07:34:21 UTC
(phoenix) branch 5.1 updated: PHOENIX-7181 Do not declare commons-configuration2 dependency
This is an automated email from the ASF dual-hosted git repository.
stoty pushed a commit to branch 5.1
in repository https://gitbox.apache.org/repos/asf/phoenix.git
The following commit(s) were added to refs/heads/5.1 by this push:
new 569f931d8e PHOENIX-7181 Do not declare commons-configuration2 dependency
569f931d8e is described below
commit 569f931d8e1dae1990a26f40a445b6920e11be08
Author: Istvan Toth <st...@apache.org>
AuthorDate: Mon Jan 15 15:39:03 2024 +0100
PHOENIX-7181 Do not declare commons-configuration2 dependency
---
phoenix-core/pom.xml | 4 ----
pom.xml | 13 +++++++------
2 files changed, 7 insertions(+), 10 deletions(-)
diff --git a/phoenix-core/pom.xml b/phoenix-core/pom.xml
index 22c81d9d00..3f6193793a 100644
--- a/phoenix-core/pom.xml
+++ b/phoenix-core/pom.xml
@@ -500,10 +500,6 @@
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-configuration2</artifactId>
- </dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
diff --git a/pom.xml b/pom.xml
index ddf4ac6495..c923b3e6f6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -121,7 +121,6 @@
<commons-csv.version>1.0</commons-csv.version>
<commons-compress.version>1.21</commons-compress.version>
<sqlline.version>1.9.0</sqlline.version>
- <commons-configuration2.version>2.1.1</commons-configuration2.version>
<jcip-annotations.version>1.0-1</jcip-annotations.version>
<jsr305.version>2.0.1</jsr305.version>
<snappy.version>0.3</snappy.version>
@@ -450,6 +449,13 @@
<!-- These change too frequently, so we just rely on the hbase transitive deps -->
org.apache.hbase.thirdparty:*
</ignoredUsedUndeclaredDependency>
+ <ignoredUsedUndeclaredDependency>
+ <!-- We only need this because the Hadoop Metrics API leak.
+ By not declaring the dependency, we can pick up the CVE fixed version from Hadoop
+ without having to also declare a dependency on commons-text dependency
+ (which we do not use directly at all)-->
+ org.apache.commons:commons-configuration2
+ </ignoredUsedUndeclaredDependency>
</ignoredUsedUndeclaredDependencies>
</configuration>
<executions>
@@ -1434,11 +1440,6 @@
<artifactId>commons-lang3</artifactId>
<version>${commons-lang.version}</version>
</dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-configuration2</artifactId>
- <version>${commons-configuration2.version}</version>
- </dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>