ARROW-1242: [JAVA] - upgrade jackson to mitigate security vulnerabilities #929
Conversation
Update from original
|
@StevenMPhillips @siddharthteotia does this seem OK to you? |
|
@mattdarwin since we haven't had enough review of this and the other patch ARROW-1243, I am not comfortable pulling this into 0.6.0 until the change has been vetted more carefully (e.g. in Spark). I am not an expert at all in these matters. @BryanCutler @holdenk can you assist with vetting these dependency upgrades? If these libraries pose an issue for users of 0.6.0 we can discuss making a patch release, otherwise they can wait for 0.7.0 (probably releasing in a 6-8 week horizon, at most) |
|
LGTM +1. |
|
Thanks for the heads up @wesm . In Spark an older version of jackson is being used and the Arrow jackson dependencies are excluded, so it wouldn't pull in anything new. Since the usage hasn't changed here, everything should still work but I'll test it out just to be sure. |
|
I made a mistake and the PR didn't successfully upgrade the Jackson version. Let's see if I can reopen this PR, otherwise I will file a new one |
…ties (take 2) sorry, PR apache#929 failed to actually change the Jackson version, since the `jackson.version` variable defined in java/pom.xml is not used in java/vector/pom.xml That's now fixed in this PR. Author: Matt Darwin <(none)> Author: Matt <[email protected]> Closes apache#957 from mattdarwin/ARROW-1242-upgrade-jackson and squashes the following commits: ad15e5f [Matt Darwin] Merge branch 'master' into ARROW-1242-upgrade-jackson ee29d65 [Matt Darwin] Merge branch 'master' of https://github.com/apache/arrow into ARROW-1242-upgrade-jackson 06d7745 [Matt Darwin] upgrading jackson to 2.7.9 PROPERLY this time... 284a4ce [Matt Darwin] Merge branch 'master' of https://github.com/apache/arrow d059517 [Matt Darwin] 1242 upgraing jackson to 2.7.9 bc3b6a0 [Matt] Merge pull request #1 from apache/master
…ties As per apache#872 I am upgrading Jackson to the latest version on the current train (2.7.1 --> 2.7.9) Author: Matt Darwin <(none)> Author: Matt <[email protected]> Closes apache#929 from mattdarwin/ARROW-1242-upgrade-jackson and squashes the following commits: d059517 [Matt Darwin] 1242 upgraing jackson to 2.7.9 bc3b6a0 [Matt] Merge pull request #1 from apache/master
…ties (take 2) sorry, PR apache#929 failed to actually change the Jackson version, since the `jackson.version` variable defined in java/pom.xml is not used in java/vector/pom.xml That's now fixed in this PR. Author: Matt Darwin <(none)> Author: Matt <[email protected]> Closes apache#957 from mattdarwin/ARROW-1242-upgrade-jackson and squashes the following commits: ad15e5f [Matt Darwin] Merge branch 'master' into ARROW-1242-upgrade-jackson ee29d65 [Matt Darwin] Merge branch 'master' of https://github.com/apache/arrow into ARROW-1242-upgrade-jackson 06d7745 [Matt Darwin] upgrading jackson to 2.7.9 PROPERLY this time... 284a4ce [Matt Darwin] Merge branch 'master' of https://github.com/apache/arrow d059517 [Matt Darwin] 1242 upgraing jackson to 2.7.9 bc3b6a0 [Matt] Merge pull request #1 from apache/master
4 participants
As per #872 I am upgrading Jackson to the latest version on the current train (2.7.1 --> 2.7.9)