Chesnay Schepler created FLINK-15540:
----------------------------------------
Summary: flink-shaded-hadoop-2-uber bundles wrong dependency versions
Key: FLINK-15540
URL:
https://issues.apache.org/jira/browse/FLINK-15540 Project: Flink
Issue Type: Bug
Components: BuildSystem / Shaded
Affects Versions: shaded-9.0
Reporter: Chesnay Schepler
Assignee: Chesnay Schepler
Fix For: shaded-10.0
For legacy reasons flink-shaded contains 2 modules for hadoop:
flink-shaded-hadoop-2, defining the core dependencies and versions via dependency management, and flink-shaded-hadoop-2-uber for creating a fat jar.
In this kind of setup the dependency management in {{flink-shaded-hadoop-2}} is ignored by the {{-uber}} module; dependency management entries only apply if they are located in a parent module or within the module itself.
As a result flink-shaded-hadoop-2-uber is bundling the wrong versions of several dependencies; among others we bundle commons-collections 3.2.1, instead of 3.2.2, which has a security issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)