Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 to remove jackson-databind shaded dependency #14884

Merged
merged 1 commit into from
Mar 29, 2022
Merged

[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 to remove jackson-databind shaded dependency #14884

merged 1 commit into from
Mar 29, 2022

Conversation

nicoloboschi
Copy link
Contributor

Motivation

For the Athenz ZTS client we're using the fat jar athenz-zts-java-client which contains a vulnerable version of jacksond-databind (#14871 (comment))
There's no need to use the fat jar since the only case would be if Jersey 1 is used (we use 2.34)

Modifications

  • Move to athenz-zts-java-client-core which is the regular dependency
  • Bump version to 1.10.50. This is useful because in the latest versions they reduced a lot the transitive dependencies. I checked all the new dependencies. There are two mismatch which should not be cause issues:
    • Jersey: athenz-zts-java-client-core use 2.35
    • Aws SDK 1: they use 1.12.x while Pulsar forces to 1.11.x. It shouldn't be necessary to upgrade to 1.12
  • no-need-doc

@nicoloboschi nicoloboschi mentioned this pull request Mar 25, 2022
Merged
1 task
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Mar 25, 2022
@nicoloboschi
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

1 similar comment
@nicoloboschi
Copy link
Contributor Author

/pulsarbot rerun-failure-checks

@nicoloboschi nicoloboschi reopened this Mar 28, 2022
@lhotari lhotari merged commit cffe28a into apache:master Mar 29, 2022
Nicklee007 pushed a commit to Nicklee007/pulsar that referenced this pull request Apr 20, 2022
@nicoloboschi
[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (apache#1…
3257568 
…4884)
nicoloboschi added a commit to datastax/pulsar that referenced this pull request Apr 28, 2022
@nicoloboschi
[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (apache#1…
0fe7f80 
…4884)

(cherry picked from commit cffe28a)
@nicoloboschi nicoloboschi added this to the 2.11.0 milestone May 13, 2022
@nicoloboschi nicoloboschi deleted the switch-athenz-zts branch May 13, 2022 14:52
nicoloboschi added a commit that referenced this pull request May 13, 2022
@nicoloboschi
[fix][auth] Athenz: do not use uber-jar and bump to 1.10.50 (#14884)
d7ffe4f 
(cherry picked from commit cffe28a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlg99 dlg99 dlg99 approved these changes

@lhotari lhotari lhotari approved these changes

Assignees

@nicoloboschi nicoloboschi

Labels
cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.10.1
Projects
None yet
Milestone
2.11.0
Development

Successfully merging this pull request may close these issues.
3 participants
@nicoloboschi @lhotari @dlg99