You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Wei-Chiu Chuang (JIRA)" <ji...@apache.org> on 2019/08/02 17:09:00 UTC
[jira] [Created] (HADOOP-16485) Remove dependency on jackson
Wei-Chiu Chuang created HADOOP-16485:
----------------------------------------
Summary: Remove dependency on jackson
Key: HADOOP-16485
URL: https://issues.apache.org/jira/browse/HADOOP-16485
Project: Hadoop Common
Issue Type: Improvement
Reporter: Wei-Chiu Chuang
Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.
File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.
At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org