[jira] [Created] (FLINK-15540) flink-shaded-hadoop-2-uber bundles wrong dependency versions

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (FLINK-15540) flink-shaded-hadoop-2-uber bundles wrong dependency versions

Shang Yuanchun (Jira)
Chesnay Schepler created FLINK-15540:
----------------------------------------

             Summary: flink-shaded-hadoop-2-uber bundles wrong dependency versions
                 Key: FLINK-15540
                 URL: https://issues.apache.org/jira/browse/FLINK-15540
             Project: Flink
          Issue Type: Bug
          Components: BuildSystem / Shaded
    Affects Versions: shaded-9.0
            Reporter: Chesnay Schepler
            Assignee: Chesnay Schepler
             Fix For: shaded-10.0


For legacy reasons flink-shaded contains 2 modules for hadoop:
flink-shaded-hadoop-2, defining the core dependencies and versions via dependency management, and flink-shaded-hadoop-2-uber for creating a fat jar.

In this kind of setup the dependency management in {{flink-shaded-hadoop-2}} is ignored by the {{-uber}} module; dependency management entries only apply if they are located in a parent module or within the module itself.

As a result flink-shaded-hadoop-2-uber is bundling the wrong versions of several dependencies; among others we bundle commons-collections 3.2.1, instead of 3.2.2, which has a security issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)