Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-15540

flink-shaded-hadoop-2-uber bundles wrong dependency versions

    XMLWordPrintableJSON

Details

    Description

      For legacy reasons flink-shaded contains 2 modules for hadoop:
      flink-shaded-hadoop-2, defining the core dependencies and versions via dependency management, and flink-shaded-hadoop-2-uber for creating a fat jar.

      In this kind of setup the dependency management in flink-shaded-hadoop-2 is ignored by the -uber module; dependency management entries only apply if they are located in a parent module or within the module itself.

      As a result flink-shaded-hadoop-2-uber is bundling the wrong versions of several dependencies; among others we bundle commons-collections 3.2.1, instead of 3.2.2, which has a security issue.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #80

          Activity

            People

              chesnay Chesnay Schepler
              chesnay Chesnay Schepler
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m