Upgraded third-party dependencies to the latest versions and fixed CVE vulnerabilities #34409
Conversation
| <dependency> | ||
| <groupId>org.hamcrest</groupId> | ||
| <artifactId>hamcrest</artifactId> | ||
| <scope>test</scope> | ||
| </dependency> |
There was a problem hiding this comment.
- Why is this necessary? hamcrest is imported globally in the top-level POM.
- I see that the current PR adds hamcrest in more than one place, what is the point of doing this?
There was a problem hiding this comment.
Although hamcrest was configured in the main pom.xml, the submodule still couldn't find the package when running the test locally.
I found a global duplicate configuration (without scope) before my change in the main pom.xml
There was a problem hiding this comment.
I think hamcrest still needs to be defined in the top-level POM, which is cumbersome.
| @@ -38,7 +40,7 @@ class EncryptInsertSelectSupportedCheckerTest { | |||
| @Test | |||
| void assertIsCheck() { | |||
| InsertStatementContext sqlStatementContext = mock(InsertStatementContext.class, RETURNS_DEEP_STUBS); | |||
| when(sqlStatementContext.getSqlStatement().getInsertSelect().isPresent()).thenReturn(true); | |||
| when(sqlStatementContext.getSqlStatement().getInsertSelect()).thenReturn(Optional.of(mock(SubquerySegment.class))); | |||
There was a problem hiding this comment.
- Why does updating some third-party dependencies cause a large number of unit tests to change? Where is the original issue?
There was a problem hiding this comment.
The new version of mock will prompt that the thenReturn type is wrong, and Optional.of(mock(SubquerySegment.class)) is required to return
There was a problem hiding this comment.
This involves a problem. The new version of mockito does not support JDK8, so it makes no sense to do so.
| <commons-compress.version>1.27.1</commons-compress.version> | ||
| <commons-configuration2.version>2.11.0</commons-configuration2.version> | ||
| <commons-text.version>1.13.0</commons-text.version> | ||
| <caffeine.version>3.2.0</caffeine.version> |
There was a problem hiding this comment.
- Isn't the last version of caffeine that supports running on
JDK 82.9.3? Why is this change necessary?
There was a problem hiding this comment.
commons-compress/commons-configuration2/commons-text needs to be specified because the version number conflicts with hadoop-common
There was a problem hiding this comment.
This brings up a new topic, why do you need to try to update hadoop? Only hiveserver2 jdbc driver requires hadoop, and hiveserver2 jdbc driver does not support hadoop 3.4.0 at all.
| <narayana.version>5.12.7.Final</narayana.version> | ||
| <jboss-transaction-spi.version>7.6.1.Final</jboss-transaction-spi.version> | ||
| <jboss-logging.version>3.2.1.Final</jboss-logging.version> | ||
| <narayana.version>5.13.1.Final</narayana.version> |
There was a problem hiding this comment.
- Isn't the last version of narayana supporting
Jakarta EE 85.12.7.Final? Why is this change needed?
There was a problem hiding this comment.
Upgrade to the last version that supports Java 8
There was a problem hiding this comment.
This is not a jdk8 issue, this is an issue related to #27976. You cannot just update the Jakarta EE version without changing the java package.
| <jboss-transaction-spi.version>8.0.0.Final</jboss-transaction-spi.version> | ||
| <jboss-logging.version>3.6.1.Final</jboss-logging.version> |
There was a problem hiding this comment.
- Why do you need to change the version of narayana to be inconsistent with jboss? Actually only narayana needs jboss.
| <hive.version>4.0.1</hive.version> | ||
| <hive-server2-jdbc-driver-thin.version>1.6.0</hive-server2-jdbc-driver-thin.version> | ||
| <hadoop.version>3.3.6</hadoop.version> | ||
| <presto.version>0.288.1</presto.version> | ||
| <hadoop.version>3.4.1</hadoop.version> |
There was a problem hiding this comment.
- I don't think you can get around HIVE-28191: Upgrade Hadoop Version to 3.4.1 hive#5500 and update hadoop version. hadoop 3.4.0 completely broke hiveserver2 jdbc driver.
pom.xml
Outdated
| <jaybird.version>5.0.6.java8</jaybird.version> | ||
|
|
||
| <hikari-cp.version>4.0.3</hikari-cp.version> | ||
| <hikari-cp.version>6.2.1</hikari-cp.version> |
There was a problem hiding this comment.
- The new version of hikaricp has dropped support for JDK8.
| <hamcrest.version>3.0</hamcrest.version> | ||
| <mockito.version>4.11.0</mockito.version> | ||
| <mockito.version>5.15.2</mockito.version> |
There was a problem hiding this comment.
- The new version of mockito has dropped support for JDK8.
| <jetcd.version>0.7.7</jetcd.version> | ||
| <vertx.version>4.5.1</vertx.version> | ||
| <curator.version>5.7.1</curator.version> | ||
| <zookeeper.version>3.9.3</zookeeper.version> |
There was a problem hiding this comment.
- Warning, an unopened issue has revealed that zookeeper 3.9.3 has changed binary compatibility compared to 3.9.2, which further breaks nativeTest of shardingsphere under GraalVM Native Image. Can you open an issue on the shardingsphere side for zookeeper and tag me to track it?
| @@ -914,14 +909,17 @@ | |||
| <reporting> | |||
| <plugins> | |||
| <plugin> | |||
| <groupId>org.apache.maven.plugins</groupId> | |||
There was a problem hiding this comment.
- Why do you need to add groupId manually? These are Maven's syntax sugar.
| @@ -14,6 +14,6 @@ | |||
| # KIND, either express or implied. See the License for the | |||
| # specific language governing permissions and limitations | |||
| # under the License. | |||
| wrapperVersion=3.3.2 | |||
| wrapperVersion=3.9.9 | |||
There was a problem hiding this comment.
- Where did this come from? I don't see this version at https://github.com/apache/maven-wrapper/releases .
Upgraded third-party dependencies to the latest versions and fixed CVE vulnerabilities
Before committing this PR, I'm sure that I have checked the following options:
./mvnw clean install -B -T1C -Dmaven.javadoc.skip -Dmaven.jacoco.skip -e.