You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@phoenix.apache.org by st...@apache.org on 2024/01/17 07:14:16 UTC

(phoenix) branch master updated: PHOENIX-7181 Do not declare commons-configuration2 dependency

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/master by this push:
     new 3492933940 PHOENIX-7181 Do not declare commons-configuration2 dependency
3492933940 is described below

commit 3492933940807737f08ef778469db9fa84b281d0
Author: Istvan Toth <st...@apache.org>
AuthorDate: Mon Jan 15 15:39:03 2024 +0100

    PHOENIX-7181 Do not declare commons-configuration2 dependency
    
    also remove redundant commons-configuration2 from phoenix-mapreduce-byo-shaded-hbase
---
 phoenix-core-client/pom.xml                |  4 ----
 phoenix-core/pom.xml                       |  5 -----
 phoenix-mapreduce-byo-shaded-hbase/pom.xml |  9 +++++++++
 pom.xml                                    | 13 +++++++------
 4 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/phoenix-core-client/pom.xml b/phoenix-core-client/pom.xml
index 1d886b3bae..ba02beaa33 100644
--- a/phoenix-core-client/pom.xml
+++ b/phoenix-core-client/pom.xml
@@ -394,10 +394,6 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>org.apache.commons</groupId>
-      <artifactId>commons-configuration2</artifactId>
-    </dependency>
     <dependency>
       <groupId>commons-io</groupId>
       <artifactId>commons-io</artifactId>
diff --git a/phoenix-core/pom.xml b/phoenix-core/pom.xml
index 85f95b5bf3..704bb5d55e 100644
--- a/phoenix-core/pom.xml
+++ b/phoenix-core/pom.xml
@@ -349,11 +349,6 @@
             <artifactId>phoenix-shaded-commons-cli</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-configuration2</artifactId>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>com.github.stephenc.findbugs</groupId>
             <artifactId>findbugs-annotations</artifactId>
diff --git a/phoenix-mapreduce-byo-shaded-hbase/pom.xml b/phoenix-mapreduce-byo-shaded-hbase/pom.xml
index 7cf6a98ea8..d9ccfd30c9 100644
--- a/phoenix-mapreduce-byo-shaded-hbase/pom.xml
+++ b/phoenix-mapreduce-byo-shaded-hbase/pom.xml
@@ -574,6 +574,15 @@
       <version>4.0.0</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+       <!-- provided by Hadoop -->
+      <groupId>org.apache.commons</groupId>
+      <artifactId>commons-configuration2</artifactId>
+      <!-- random version, for exclusion only -->
+      <version>2.1.1</version>
+      <scope>provided</scope>
+    </dependency>
+
 
     <!-- Other dependencies we don't want to shade in, but are not transitively excluded by the
     above for some reason -->
diff --git a/pom.xml b/pom.xml
index 807baa4002..7c598fb80c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -116,7 +116,6 @@
     <commons-csv.version>1.0</commons-csv.version>
     <commons-compress.version>1.21</commons-compress.version>
     <sqlline.version>1.9.0</sqlline.version>
-    <commons-configuration2.version>2.1.1</commons-configuration2.version>
     <jcip-annotations.version>1.0-1</jcip-annotations.version>
     <jsr305.version>2.0.1</jsr305.version>
     <snappy.version>0.3</snappy.version>
@@ -445,6 +444,13 @@
                   <!-- These change too frequently, so we just rely on the hbase transitive deps -->
                   org.apache.hbase.thirdparty:*
                 </ignoredUsedUndeclaredDependency>
+                <ignoredUsedUndeclaredDependency>
+                  <!-- We only need this because the Hadoop Metrics API leak.
+                  By not declaring the dependency, we can pick up the CVE fixed version from Hadoop
+                  without having to also declare a dependency on commons-text dependency
+                  (which we do not use directly at all)-->
+                  org.apache.commons:commons-configuration2
+                </ignoredUsedUndeclaredDependency>
               </ignoredUsedUndeclaredDependencies>
             </configuration>
           <executions>
@@ -1518,11 +1524,6 @@
         <artifactId>commons-lang3</artifactId>
         <version>${commons-lang.version}</version>
       </dependency>
-      <dependency>
-        <groupId>org.apache.commons</groupId>
-        <artifactId>commons-configuration2</artifactId>
-        <version>${commons-configuration2.version}</version>
-      </dependency>
       <dependency>
         <groupId>commons-io</groupId>
         <artifactId>commons-io</artifactId>