You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@phoenix.apache.org by st...@apache.org on 2024/01/17 07:34:21 UTC

(phoenix) branch 5.1 updated: PHOENIX-7181 Do not declare commons-configuration2 dependency

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch 5.1
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/5.1 by this push:
     new 569f931d8e PHOENIX-7181 Do not declare commons-configuration2 dependency
569f931d8e is described below

commit 569f931d8e1dae1990a26f40a445b6920e11be08
Author: Istvan Toth <st...@apache.org>
AuthorDate: Mon Jan 15 15:39:03 2024 +0100

    PHOENIX-7181 Do not declare commons-configuration2 dependency
---
 phoenix-core/pom.xml |  4 ----
 pom.xml              | 13 +++++++------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/phoenix-core/pom.xml b/phoenix-core/pom.xml
index 22c81d9d00..3f6193793a 100644
--- a/phoenix-core/pom.xml
+++ b/phoenix-core/pom.xml
@@ -500,10 +500,6 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.apache.commons</groupId>
-      <artifactId>commons-configuration2</artifactId>
-    </dependency>
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
diff --git a/pom.xml b/pom.xml
index ddf4ac6495..c923b3e6f6 100644
--- a/pom.xml
+++ b/pom.xml
@@ -121,7 +121,6 @@
     <commons-csv.version>1.0</commons-csv.version>
     <commons-compress.version>1.21</commons-compress.version>
     <sqlline.version>1.9.0</sqlline.version>
-    <commons-configuration2.version>2.1.1</commons-configuration2.version>
     <jcip-annotations.version>1.0-1</jcip-annotations.version>
     <jsr305.version>2.0.1</jsr305.version>
     <snappy.version>0.3</snappy.version>
@@ -450,6 +449,13 @@
                   <!-- These change too frequently, so we just rely on the hbase transitive deps -->
                   org.apache.hbase.thirdparty:*
                 </ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>
+                  <!-- We only need this because the Hadoop Metrics API leak.
+                  By not declaring the dependency, we can pick up the CVE fixed version from Hadoop
+                  without having to also declare a dependency on commons-text dependency
+                  (which we do not use directly at all)-->
+                  org.apache.commons:commons-configuration2
+                </ignoredUsedUndeclaredDependency>
               </ignoredUsedUndeclaredDependencies>
             </configuration>
           <executions>
@@ -1434,11 +1440,6 @@
         <artifactId>commons-lang3</artifactId>
         <version>${commons-lang.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.apache.commons</groupId>
-        <artifactId>commons-configuration2</artifactId>
-        <version>${commons-configuration2.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>