Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
shaded-9.0
Description
For legacy reasons flink-shaded contains 2 modules for hadoop:
flink-shaded-hadoop-2, defining the core dependencies and versions via dependency management, and flink-shaded-hadoop-2-uber for creating a fat jar.
In this kind of setup the dependency management in flink-shaded-hadoop-2 is ignored by the -uber module; dependency management entries only apply if they are located in a parent module or within the module itself.
As a result flink-shaded-hadoop-2-uber is bundling the wrong versions of several dependencies; among others we bundle commons-collections 3.2.1, instead of 3.2.2, which has a security issue.
Attachments
Issue Links
- links to