HDDS-5004. Upgrade Jersey2 dependency #2065
Conversation
mukul1987
force-pushed
the
master
branch
2 times, most recently
from
79a9d39 to
520ba00
Compare
elek
left a comment
elek
left a comment
There was a problem hiding this comment.
Thanks the update @adoroszlai
I checked the packaged files before/after the patch and found that the same licence file update may be required due to 3rd party depdency changes:
85c85
< hk2-locator-2.6.1.jar
---
> hk2-locator-2.5.0-b42.jar
104,107c104,105
< jakarta.annotation-api-1.3.5.jar
< jakarta.inject-2.6.1.jar
< jakarta.validation-api-2.0.2.jar
< jakarta.ws.rs-api-2.1.6.jar
---
> jakarta.annotation-api-1.3.4.jar
> jakarta.inject-2.5.0.jar
109c107
< javassist-3.25.0-GA.jar
---
> javassist-3.22.0-CR2.jar
113a112
> javax.inject-2.5.0-b42.jar
115a115
> javax.ws.rs-api-2.1.jar
120,124c120,124
< jersey-cdi1x-2.33.jar
< jersey-client-2.33.jar
< jersey-common-2.33.jar
< jersey-container-servlet-2.33.jar
< jersey-container-servlet-core-2.33.jar
---
> jersey-cdi1x-2.27.jar
> jersey-client-2.27.jar
> jersey-common-2.27.jar
> jersey-container-servlet-2.27.jar
> jersey-container-servlet-core-2.27.jar
126,129c126,129
< jersey-entity-filtering-2.33.jar
< jersey-hk2-2.33.jar
< jersey-media-jaxb-2.33.jar
< jersey-media-json-jackson-2.33.jar
---
> jersey-entity-filtering-2.27.jar
> jersey-hk2-2.27.jar
> jersey-media-jaxb-2.27.jar
> jersey-media-json-jackson-2.27.jar
131c131
< jersey-server-2.33.jar
---
> jersey-server-2.27.jar
195c195
< osgi-resource-locator-1.0.3.jar
---
> osgi-resource-locator-1.0.1.jar
227a228
> validation-api-1.1.0.Final.jar
Most of the updates are version specific, but there are a few artifact updates:
Removed artifacts:
- javax.inject-2.5.0-b42.jar
javax.inject:javax.inject line can be removed from hadoop-ozone/dist/src/main/license/bin/LICENSE.txt
Replaced artifacts:
- validation-api-1.1.0.Final.jar is replaced by jakarta.validation-api-2.0.2.jar
- javax.ws.rs-api-2.1.jar is replaced by jakarta.ws.rs-api-2.1.6.jar
With the second the licence seems to be changed from CDDL to EPL. I think the old license file should be removed from hadoop-ozone/dist/src/main/license/licenses and the new one (together with NOTICE) should be copied to there. (and artifact name in hadoop-ozone/dist/src/main/license/bin/LICENSE.txt should be updated.
License of bean validation API seems to be the same as earlier (Apache) But we need to update the artifact name in the LICENSE.txt and copy the NOTICE.txt to somewhere and reference it from our NOTICE.txt
|
Thanks @elek for the review. I have updated our LICENSE.txt and some third-party licenses. I marked this PR as draft to avoid unnecessary builds while the license stuff is being worked out. Once licenses are approved, we can mark it as "ready for review". |
elek
left a comment
elek
left a comment
There was a problem hiding this comment.
+1 Thanks the update @adoroszlai
Looks good to me.
2 participants
What changes were proposed in this pull request?
Upgrade Jersey 2 to most recent release for security. 2.33 makes JAX-B optional, so we need to explicitly declare it as dependency.
https://issues.apache.org/jira/browse/HDDS-5004
How was this patch tested?
CI:
https://github.com/adoroszlai/hadoop-ozone/actions/runs/668462717