You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/11/23 13:55:13 UTC
[GitHub] [flink] MartijnVisser opened a new pull request, #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.32
MartijnVisser opened a new pull request, #21377:
URL: https://github.com/apache/flink/pull/21377
## What is the purpose of the change
* Bump snakeyaml
## Brief change log
* Updated POM
## Verifying this change
This change is a trivial rework / code cleanup without any test coverage.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): yes
- The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no
- The serializers: no
- The runtime per-record code paths (performance sensitive): no
- Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Kubernetes/Yarn, ZooKeeper: no
- The S3 file system connector: no
## Documentation
- Does this pull request introduce a new feature? no
- If yes, how is the feature documented? not applicable
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] MartijnVisser commented on a diff in pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.32
Posted by GitBox <gi...@apache.org>.
MartijnVisser commented on code in PR #21377:
URL: https://github.com/apache/flink/pull/21377#discussion_r1030489228
##########
pom.xml:
##########
@@ -879,7 +879,7 @@ under the License.
<!-- Bumped for security purposes and making it work with Jackson dependencies (2.10.1) -->
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
- <version>1.31</version>
+ <version>1.32</version>
Review Comment:
Yes (and now I don't understand why Dependabot didn't suggest that)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] snuyanzin commented on a diff in pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.33
Posted by GitBox <gi...@apache.org>.
snuyanzin commented on code in PR #21377:
URL: https://github.com/apache/flink/pull/21377#discussion_r1031112947
##########
pom.xml:
##########
@@ -1707,12 +1707,12 @@ under the License.
<rules>
<bannedDependencies>
<excludes>
- <exclude>org.yaml:snakeyaml:(,1.30]</exclude>
+ <exclude>org.yaml:snakeyaml:(,1.31]</exclude>
</excludes>
<includes>
<!-- Snakeyaml is pulled in by many modules without using it in production,
so there's no benefit in us investing time into bumping these. -->
- <include>org.yaml:snakeyaml:(,1.30]:*:test</include>
+ <include>org.yaml:snakeyaml:(,1.31]:*:test</include>
Review Comment:
thanks for clarification
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] snuyanzin commented on a diff in pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.33
Posted by GitBox <gi...@apache.org>.
snuyanzin commented on code in PR #21377:
URL: https://github.com/apache/flink/pull/21377#discussion_r1030569164
##########
pom.xml:
##########
@@ -1707,12 +1707,12 @@ under the License.
<rules>
<bannedDependencies>
<excludes>
- <exclude>org.yaml:snakeyaml:(,1.30]</exclude>
+ <exclude>org.yaml:snakeyaml:(,1.31]</exclude>
</excludes>
<includes>
<!-- Snakeyaml is pulled in by many modules without using it in production,
so there's no benefit in us investing time into bumping these. -->
- <include>org.yaml:snakeyaml:(,1.30]:*:test</include>
+ <include>org.yaml:snakeyaml:(,1.31]:*:test</include>
Review Comment:
I think in case of movement to 1.33 these two lines should also be updated like `org.yaml:snakeyaml:(,1.32]`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] snuyanzin commented on a diff in pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.32
Posted by GitBox <gi...@apache.org>.
snuyanzin commented on code in PR #21377:
URL: https://github.com/apache/flink/pull/21377#discussion_r1030480628
##########
pom.xml:
##########
@@ -879,7 +879,7 @@ under the License.
<!-- Bumped for security purposes and making it work with Jackson dependencies (2.10.1) -->
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
- <version>1.31</version>
+ <version>1.32</version>
Review Comment:
Shouldn't it be better updated to 1.33?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] MartijnVisser commented on a diff in pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.33
Posted by GitBox <gi...@apache.org>.
MartijnVisser commented on code in PR #21377:
URL: https://github.com/apache/flink/pull/21377#discussion_r1030579118
##########
pom.xml:
##########
@@ -1707,12 +1707,12 @@ under the License.
<rules>
<bannedDependencies>
<excludes>
- <exclude>org.yaml:snakeyaml:(,1.30]</exclude>
+ <exclude>org.yaml:snakeyaml:(,1.31]</exclude>
</excludes>
<includes>
<!-- Snakeyaml is pulled in by many modules without using it in production,
so there's no benefit in us investing time into bumping these. -->
- <include>org.yaml:snakeyaml:(,1.30]:*:test</include>
+ <include>org.yaml:snakeyaml:(,1.31]:*:test</include>
Review Comment:
I thought about it and decided not to, because snakeyaml 1.32 does not contain a CVE, while everything < 1.32 does. Since this specifically checks for vulnerable snakeyamls, I left this as-is.
##########
pom.xml:
##########
@@ -1707,12 +1707,12 @@ under the License.
<rules>
<bannedDependencies>
<excludes>
- <exclude>org.yaml:snakeyaml:(,1.30]</exclude>
+ <exclude>org.yaml:snakeyaml:(,1.31]</exclude>
</excludes>
<includes>
<!-- Snakeyaml is pulled in by many modules without using it in production,
so there's no benefit in us investing time into bumping these. -->
- <include>org.yaml:snakeyaml:(,1.30]:*:test</include>
+ <include>org.yaml:snakeyaml:(,1.31]:*:test</include>
Review Comment:
I thought about it and decided not to, because snakeyaml 1.32 does not contain a CVE, while everything < 1.32 does. Since this specifically checks for vulnerable snakeyaml versions, I left this as-is.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] flinkbot commented on pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.32
Posted by GitBox <gi...@apache.org>.
flinkbot commented on PR #21377:
URL: https://github.com/apache/flink/pull/21377#issuecomment-1325119947
<!--
Meta data
{
"version" : 1,
"metaDataEntries" : [ {
"hash" : "73098abbbf77c9374548d0ec13dd7ca8e55d91ec",
"status" : "UNKNOWN",
"url" : "TBD",
"triggerID" : "73098abbbf77c9374548d0ec13dd7ca8e55d91ec",
"triggerType" : "PUSH"
} ]
}-->
## CI report:
* 73098abbbf77c9374548d0ec13dd7ca8e55d91ec UNKNOWN
<details>
<summary>Bot commands</summary>
The @flinkbot bot supports the following commands:
- `@flinkbot run azure` re-run the last Azure build
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [flink] MartijnVisser closed pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.33
Posted by GitBox <gi...@apache.org>.
MartijnVisser closed pull request #21377: [FLINK-30175][Build] Bump snakeyaml from 1.31 to 1.33
URL: https://github.com/apache/flink/pull/21377
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org