[HADOOP-18687] Remove unnecessary dependency on json-smart - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0, 3.3.5
Fix Version/s: 3.4.0, 3.3.6
Component/s: auth
Labels:
- pull-request-available

Hadoop Flags:

Incompatible change
Release Note:

Hide
json-smart is no longer dependency of the hadoop-auth module (it not required) so is not exported transitively as a dependency or included in hadoop releases. If application code requires this on the classpath, a version must be added to the classpath explicitly -you get to choose which one

Show
json-smart is no longer dependency of the hadoop-auth module (it not required) so is not exported transitively as a dependency or included in hadoop releases. If application code requires this on the classpath, a version must be added to the classpath explicitly -you get to choose which one

Description

hadoop-auth has a dependency on net.minidev:json-smart 2.4.7, but this dependency is never used.

This dependency was originally included because the transitive dependency that nimbus-jose-jwt had did not work properly (see https://issues.apache.org/jira/browse/HADOOP-14903). Since version 9.* nimbus-jose-jwt is using its own shaded version of json-smart, so the version declared in hadoop-auth is never actually used.

json-smart 2.4.7 shows up in CVE scans for CVE-2023-1370. It is still used as a transitive dependency in hadoop-hdfs

Attachments

Issue Links

relates to

HADOOP-14903 Add json-smart explicitly to pom.xml

Resolved

links to

GitHub Pull Request #5524

GitHub Pull Request #5549

GitHub Pull Request #5624

Activity

People

Assignee:: Michiel de Jong

Reporter:: Michiel de Jong

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 31/Mar/23 11:16

Updated:: 28/Mar/24 07:55

Resolved:: 06/Apr/23 15:01