You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by GitBox <gi...@apache.org> on 2022/07/12 09:10:35 UTC

[GitHub] [pinot] gyokketto commented on pull request #8991: update-dependencies

gyokketto commented on PR #8991:
URL: https://github.com/apache/pinot/pull/8991#issuecomment-1181517528

   Hi @Jackie-Jiang ,
   
   > Any specific reason why we want to update these dependencies? 
   
   We have lots of (> 100) vulnerabilities in old packages. Here is an excerpt from a twistlock scan on the latest image release (only JAR-s, letting alone the OS ones):
   
   > low 	org.eclipse.jetty_jetty-http version 9.3.24.v20180605 has 1 vulnerability
   > medi	com.google.guava_guava version 20.0 has 2 vulnerabilities
   > medi	com.google.guava_guava version 14.0.1 has 2 vulnerabilities
   > mode	io.netty_netty-codec-http version 4.1.54.Final has 3 vulnerabilities
   > mode	io.netty_netty-codec-http2 version 4.1.54.Final has 2 vulnerabilities
   > medi	org.eclipse.jetty_jetty-io version 9.3.24.v20180605 has 3 vulnerabilities
   > medi	org.eclipse.jetty_jetty-servlet version 9.3.24.v20180605 has 1 vulnerability
   > mode	org.eclipse.jetty_jetty-servlets version 9.3.24.v20180605 has 1 vulnerability
   > mode	org.glassfish.jersey.core_jersey-common version 2.28 has 1 vulnerability
   > high	com.fasterxml.jackson.core_jackson-databind version 2.10.0 has 3 vulnerabilities
   > high	com.google.oauth-client_google-oauth-client version 1.31.0 has 1 vulnerability
   > high	com.google.protobuf_protobuf-java version 3.12.0 has 1 vulnerability
   > high	com.google.protobuf_protobuf-java version 3.11.4 has 1 vulnerability
   > high	io.netty_netty-all version 4.1.54.Final has 7 vulnerabilities
   > high	io.netty_netty-codec version 4.1.54.Final has 7 vulnerabilities
   > high	org.apache.zookeeper_zookeeper version 3.5.8 has 1 vulnerability
   > high	org.eclipse.jetty_jetty-server version 9.3.24.v20180605 has 6 vulnerabilities
   > high	org.yaml_snakeyaml version 1.16 has 1 vulnerability
   > crit	com.fasterxml.jackson.core_jackson-databind version 2.9.10 has 40 vulnerabilities
   > crit	com.fasterxml.jackson.core_jackson-databind version 2.4.0 has 4 vulnerabilities
   > crit	io.netty_netty version 3.9.6.Final has 10 vulnerabilities
   > crit	log4j_log4j version 1.2.17 has 6 vulnerabilities
   > crit	org.apache.hadoop_hadoop-common version 2.7.0 has 6 vulnerabilities
   > crit	org.apache.hadoop_hadoop-hdfs version 2.7.0 has 10 vulnerabilities
   > crit	org.apache.spark_spark-core_2.11 version 2.4.0 has 1 vulnerability
   
   With all those vulnerabilities we are not allowed to push our pinot deployment to higher environments.
   
   > How do we ensure there is no dependency conflict updating so many of them in one shot?
   
   Yes, that is concerning, but I think we have to trust the test coverage we have currently to detect package upgrade related failures.
   
   > There is a on-going work trying to update helix to 1.0.4 in #8325 which is not trivial itself.
   
   Yes, it is far from trivial. I really appreciate your efforts especially after I started working on it and seeing those difficulties myself. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org