time to upgrade the constraints again to 2.17.0? :...
# randomb
better-orange-49102
12/18/2021, 2:17 PMtime to upgrade the constraints again to 2.17.0? 😅 https://thehackernews.com/2021/12/apache-issues-3rd-patch-to-fix-new-high.html
better-orange-49102
12/18/2021, 2:46 PMb
big-carpet-38439
12/18/2021, 6:11 PMThank you!
n
nice-planet-17111
12/20/2021, 2:04 AMHello, when will this changed be merged & reflected on helm chart? 🙂
b
better-orange-49102
12/20/2021, 2:54 AMthese being constraints imposed on gradle build, it shouldnt have any material impact if you do not modify stock datahub in any way, correct?
we only really need the changes to the ES JVM? (pardon my non-existent java understanding)
https://datahubspace.slack.com/archives/CUMV92XRQ/p1639496478161900?thread_ts=1639172349.145600&cid=CUMV92XRQ
b
big-carpet-38439
12/20/2021, 3:04 PMHey! So it appears that some of the 3rd party libraries we depend on do indeed pull in a log4j dependency. Adding these constraints will force those dependencies to use the latest version. We as DataHub do not directly depend on or use log4j, instead we use logback. Nonetheless we want to make sure that the affected versions are not in our dependency tree at all
big-carpet-38439
12/20/2021, 3:05 PM@nice-planet-17111 You can expect these to be out by the end of the week. Hoping there are not more patches to log4j 😛
❤️ 1
b
better-orange-49102
12/20/2021, 3:06 PM3th code merge with upstream in a week for me 🥲
b
big-carpet-38439
12/20/2021, 3:07 PMoh myyyyy
big-carpet-38439
12/20/2021, 3:07 PMso much churn 😞
b
better-orange-49102
12/20/2021, 3:09 PMcant be helped, all the IT security folks are freaked out by it
2 Views